Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-14-2001, 03:03 PM   #1
LQ Newbie
Registered: Feb 2001
Location: Eastern IL Univ, Charleston, IL
Posts: 11

Rep: Reputation: 0

I'm running SuSE 6.4, and in my logs I noticed some entries like this:


instead of a regular syslog entry. I have also noticed a remote connection to my X server by nobody@nowhere.

I am running a firewall, and as far as I know, the only items allowed through are ftp-data and DNS.

Am I missing something? Or do I need to do something to secure a port I don't have secure? This machine is a workstation on a mainly windows network, so that is the reason I am running X (gnome) on it.

I am willing to dig and/or get my hands dirty here...
Old 02-14-2001, 05:06 PM   #2
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 11,337

Rep: Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803Reputation: 2803
By default syslogd will print --MARK-- every 20 minutes. This is so you know it hasn't died. If you do not want this then start syslogd with a -m0.
Old 02-14-2001, 10:57 PM   #3
LQ Newbie
Registered: Feb 2001
Location: Eastern IL Univ, Charleston, IL
Posts: 11

Original Poster
Rep: Reputation: 0
Yep, checked it out on my server here at home, and there's a bunch of --MARK--'s

Now, what kind of processes su to root from user nobody. My server here at home has them as well, and I *know* that it can't have gotten hacked - internal network. That was the part that really had me worried. (Or is there still a possibility that I was hacked?)

What started it all was that just before I got my firewall up and running, I couldn't log on to the system through gdm. If I took it off the network and rebooted, everything was fine. So I made sure the firewall was online and changed my password to something long and difficult to crack (although, being on a T1 at work makes it kind of easy for someone with enough time). That fixed the problem, but I noticed this stuff from "nobody", even though nobody has a /bin/false login shell.
Old 02-15-2001, 04:00 PM   #4
LQ Newbie
Registered: Jan 2001
Posts: 13

Rep: Reputation: 0
re: nobody

the user nobody is usually apache and its processes it runs as the user "nobody" so it doesnt have to run as root, but it still need root access.(i think)(:


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
hack,,, apenguinlinux General 4 02-22-2005 11:13 AM
hack,, apenguinlinux General 5 02-22-2005 10:40 AM
hack ?help me !! liumang Linux - Security 10 11-28-2004 05:21 AM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 01:23 PM
hack ? spooge Linux - Security 4 01-21-2003 12:54 PM

All times are GMT -5. The time now is 02:34 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration