LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-14-2001, 02:03 PM   #1
sbscomp
LQ Newbie
 
Registered: Feb 2001
Location: Eastern IL Univ, Charleston, IL
Posts: 11

Rep: Reputation: 0

I'm running SuSE 6.4, and in my logs I noticed some entries like this:

MACHINE: --MARK--

instead of a regular syslog entry. I have also noticed a remote connection to my X server by nobody@nowhere.

I am running a firewall, and as far as I know, the only items allowed through are ftp-data and DNS.

Am I missing something? Or do I need to do something to secure a port I don't have secure? This machine is a workstation on a mainly windows network, so that is the reason I am running X (gnome) on it.

I am willing to dig and/or get my hands dirty here...
 
Old 02-14-2001, 04:06 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,390

Rep: Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626Reputation: 2626
By default syslogd will print --MARK-- every 20 minutes. This is so you know it hasn't died. If you do not want this then start syslogd with a -m0.
 
Old 02-14-2001, 09:57 PM   #3
sbscomp
LQ Newbie
 
Registered: Feb 2001
Location: Eastern IL Univ, Charleston, IL
Posts: 11

Original Poster
Rep: Reputation: 0
Yep, checked it out on my server here at home, and there's a bunch of --MARK--'s

Now, what kind of processes su to root from user nobody. My server here at home has them as well, and I *know* that it can't have gotten hacked - internal network. That was the part that really had me worried. (Or is there still a possibility that I was hacked?)

What started it all was that just before I got my firewall up and running, I couldn't log on to the system through gdm. If I took it off the network and rebooted, everything was fine. So I made sure the firewall was online and changed my password to something long and difficult to crack (although, being on a T1 at work makes it kind of easy for someone with enough time). That fixed the problem, but I noticed this stuff from "nobody", even though nobody has a /bin/false login shell.
 
Old 02-15-2001, 03:00 PM   #4
cawaker
LQ Newbie
 
Registered: Jan 2001
Posts: 13

Rep: Reputation: 0
re: nobody

the user nobody is usually apache and its processes it runs as the user "nobody" so it doesnt have to run as root, but it still need root access.(i think)(:
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hack,,, apenguinlinux General 4 02-22-2005 10:13 AM
hack,, apenguinlinux General 5 02-22-2005 09:40 AM
hack ?help me !! liumang Linux - Security 10 11-28-2004 04:21 AM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 12:23 PM
hack ? spooge Linux - Security 4 01-21-2003 11:54 AM


All times are GMT -5. The time now is 09:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration