Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
07-10-2002, 03:57 PM
|
#1
|
|
Member
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95
Rep: 
|
/var/log/messages file
OK, I was checking my firewall logs to make sure no intruders were getting in, i was looking and looling, a couple of pings that were not responded to. THEN I see this message:
PAM_unix[3114]: (system-auth) session opened for user news by (uid=0)
PAM_unix[3114]: (system-auth) session closed for user news
I don't go to user news groups or have news enabled. Is this something I need to be concerned about?
|
|
|
|
|
07-10-2002, 06:18 PM
|
#2
|
|
Member
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498
Rep:
|
Maybe.
If you don't log in as "news" and didn't even know you had a "news" user then I would say unplug your box, and reinstall. It seems that whoever it was has root on your box. When it says session was open by uid=0 that means either the root user or another user with root privileges is on your box. Too bad the message wasn't more descriptive.
|
|
|
|
|
07-11-2002, 12:54 AM
|
#3
|
|
Guru
Registered: Jan 2001
Posts: 24,128
Rep:
|
Re: /var/log/messages file
Quote:
Originally posted by jimval7
OK, I was checking my firewall logs to make sure no intruders were getting in, i was looking and looling, a couple of pings that were not responded to. THEN I see this message:
PAM_unix[3114]: (system-auth) session opened for user news by (uid=0)
PAM_unix[3114]: (system-auth) session closed for user news
I don't go to user news groups or have news enabled. Is this something I need to be concerned about?
|
Most likely it didn't authenticate and failed. /var/log/messages will always record like that above, usually making it seem as if someone might have accessed your system, but really didn't. You'll want to check any of your other logs and see if anything matches something similiar to the user news.. etc.. to make for sure they didn't get access. But it doesn't hurt to unplug your machine while checking it out.
For example though, my FTP server doesn't allow anonymous connections.. but the messages file will only indicate this:
Jul 2 04:28:47 blackhole proftpd[25825] : connect from 210.0.186.132
Making it seem as if someone actually connected, but when I look at the ftp log, it closed their session as they couldn't login with correct name and password. Hope this eases your mind a bit. But definitely still look into it though. |
|
|
|
|
07-12-2002, 05:47 AM
|
#4
|
|
Member
Registered: Mar 2002
Location: Elyria, Ohio
Distribution: Debian, Nothing else required
Posts: 141
Rep:
|
If available, you might try running the commands last and lastb. last will show successful logins while lastb will show unsuccessful login attempts. Hope this helps resolve your question. -mk
|
|
|
|
|
07-17-2002, 04:48 AM
|
#5
|
|
LQ Newbie
Registered: Apr 2002
Distribution: RH X
Posts: 21
Rep:
|
Don't worry. It's just a cron job doing what it's supposed to.
/etc/cron.daily/slrnpull-expire I would suspect.
---------------------------------------------
The slrn-pull package provides the slrnpull utility, which allows you to set up a small news spool for offline news reading using the SLRN news reader. You also need to have the slrn package installed to use the slrnpull utility.
|
|
|
|
|
07-22-2002, 12:32 AM
|
#6
|
|
Member
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95
Original Poster
Rep:
|
thanks
Thanks Leffe, It was the cron, I didn't get hacked in. Thanks again, I'm glad it was the cron job.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 05:05 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
