SU entries in log
 

in my system log im seeing entries like this....


process: SU
message: "pam_unix2: session started for user cyrus, service su"

and

process: SU
message: "pam_unix2: session started for user nobody, service su"


i have no idea where these usernames are coming from, i did not create them, and i do not see them in my list of users/grops in yast. am i being hacked? are these system processes? thanks for any help!

They could possibly be system processes. Use a process manager (like KDE System Guard if you are running KDE) to view all processes and who or what is running them. You can also use top in a console to view system processes.

When you say system log which one are you referring too? If you're using Yast then I guess you're on Suse which I don't know so well.

But to help you out, Cyrus is a mail and IMAP server. Do you know if you have that installed/running?

The user 'nobody' is commonly created by services that need to provide restricted access to outsiders. It's quite common for it to be set up by FTP severs and the like.

Try running;

as root to see what the user nobody has been upto.

thanks for replys!!! i used 'top' to see if those users where doing anything, and they wernt.

i tried the "cat /var/log/auth.log|grep nobody" but that log doesnt exist.

yes im running suse linux 9.3

im checking into the cyrus stuff.

thanks again!

Also check your logs for cron jobs run around that time. Some types of cron activity will need admin privileges and it will automatically add or drop privileges as necessary.