LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2007, 09:41 AM   #1
censanian
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Rep: Reputation: 0
SU entries in log


in my system log im seeing entries like this....


process: SU
message: "pam_unix2: session started for user cyrus, service su"

and

process: SU
message: "pam_unix2: session started for user nobody, service su"


i have no idea where these usernames are coming from, i did not create them, and i do not see them in my list of users/grops in yast. am i being hacked? are these system processes? thanks for any help!
 
Old 06-13-2007, 11:52 AM   #2
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 4
Posts: 4,297

Rep: Reputation: 205Reputation: 205Reputation: 205
Quote:
Originally Posted by censanian
in my system log im seeing entries like this....


process: SU
message: "pam_unix2: session started for user cyrus, service su"

and

process: SU
message: "pam_unix2: session started for user nobody, service su"


i have no idea where these usernames are coming from, i did not create them, and i do not see them in my list of users/grops in yast. am i being hacked? are these system processes? thanks for any help!
They could possibly be system processes. Use a process manager (like KDE System Guard if you are running KDE) to view all processes and who or what is running them. You can also use top in a console to view system processes.
 
Old 06-14-2007, 02:47 AM   #3
redgoblin
Member
 
Registered: Jun 2005
Location: UK
Distribution: Debian
Posts: 189

Rep: Reputation: 41
When you say system log which one are you referring too? If you're using Yast then I guess you're on Suse which I don't know so well.

But to help you out, Cyrus is a mail and IMAP server. Do you know if you have that installed/running?

The user 'nobody' is commonly created by services that need to provide restricted access to outsiders. It's quite common for it to be set up by FTP severs and the like.

Try running;

Code:
cat /var/log/auth.log|grep nobody
as root to see what the user nobody has been upto.
 
Old 06-14-2007, 07:54 AM   #4
censanian
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Original Poster
Rep: Reputation: 0
thanks for replys!!! i used 'top' to see if those users where doing anything, and they wernt.

i tried the "cat /var/log/auth.log|grep nobody" but that log doesnt exist.

yes im running suse linux 9.3

im checking into the cyrus stuff.

thanks again!
 
Old 06-16-2007, 08:40 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also check your logs for cron jobs run around that time. Some types of cron activity will need admin privileges and it will automatically add or drop privileges as necessary.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/auth.log entries buehler Linux - Security 1 04-23-2005 04:45 PM
Cutting down on log entries. koody Linux - Software 5 08-13-2004 04:24 AM
log entries robert1963 Linux - Security 1 03-28-2004 04:37 PM
Strange log entries. forand Linux - Security 7 03-25-2003 03:20 AM
question regarding log entries epeus Linux - Security 6 01-09-2003 05:59 AM


All times are GMT -5. The time now is 03:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration