|
Error "command not allowed" LinixServer
Hi Folks need some help figuring out a log event per the log events below. Both events seem similar yet event #1 was not allowed. Yet afew minutes later, the same command was allowed as shown by event #2. What am i missing here?
1. Privilege Escalation Failed u07c04 LinuxServer @ plup5066 1 Aug 5, 2016, 1:25:08 PM Privilege Escalation Failed 10.10.10.185 10.10.10.150 5 <33>Aug 5 13:25:08 plup5066 sudo: u07c04 : command not allowed ; TTY=pts/0 ; PWD=/home/u07c04 ; USER=root ; COMMAND=/bin/su - 2. Privilege Escalation Succeeded u07c04 LinuxServer @ plup5066 1 Aug 5, 2016, 1:28:32 PM Privilege Escalation Succeeded 10.10.10.185 10.10.10.150 4 <37>Aug 5 13:28:32 plup5066 sudo: u07c04 : TTY=pts/0 ; PWD=/home/u07c04 ; USER=root ; COMMAND=/bin/su - |
Hi,
I deduce from your question that you didn't run that command? If so, then I think user u07c04 managed to run the command (sudo) su -, which means he has now root access. To be frank, I'm not entirely certain that's what happenend but it might be from your excerpts above. HTH Upuetz |
Hello-
What i do not understand is why the first event (#1) was deemed "command not allowed" yet a few minutes later, the same user run the same command on the same server and it was successful. That's my dilemma. |
Maybe that user was able to change the sudoers file? Or the rights of /bin/su?
Both would be bad... |
| All times are GMT -5. The time now is 08:52 AM. |