Two lines from my auth.log:
May 22 06:25:01 element04 su: + ??? root:nobody
May 22 06:25:01 element04 su: (pam_unix) session opened for user nobody by (uid=0)
What does this mean? Could this be something normal? Is it definitely a hack? What can someone do if they are user "nobody"?
Also, looking at the /etc/passwd file, I notice that nobody has a shell - /bin/sh. There doesn't seem to be a /sbin/nologin on this machine, what can I use instead?
running Debian 3.1