LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-27-2005, 05:47 AM   #1
merana
Member
 
Registered: May 2002
Location: Philly/So. Jersey
Distribution: ESXi CentOS Red-Hat Ubuntuu Solaris Debian
Posts: 85

Rep: Reputation: 15
Odd entry in syslog


Hi All,

Had a weird occurance just recently... Upon reboot of the server I noted the following in the syslog:

Apr 27 06:38:46 server kernel: RAMDISK: Loading 3272 blocks [1 disk] into ram disk... |^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-
^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H
-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^
H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/
^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H
/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^H/^H-^H\^H|^Hdone.

Don't remember seeing this before... Anyone have a prior sighting of this? Or suggestions as to what it is?

* EDIT *

Also I just noted this from auth.log:

Apr 27 03:03:48 server su[20501]: + ??? root:nobody
Apr 27 03:03:48 server su[20501]: (pam_unix) session opened for user nobody by (uid=0)

!!! Now I'm getting a little more concerned.... Already scanned all of the apache logs for recent posts and I didn't see anything anomalous....



Thanks,

Last edited by merana; 04-27-2005 at 06:07 AM.
 
Old 04-27-2005, 06:19 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

The |^H/^H-^H\^H|^H/^H-^H\^H|H/^H-^H\^H|^H/^H-^H\ bit is a progress spinner (^H means 'backspace'. Look at the characters between.). Nothing to worry about.

The auth.log entry looks like a demon dropping to a low level user account (Any demon that binds to a TCP port < 1025 has to be started as root, and they usually drop down to a different user soon after starting). If it was 'session opened for user root by nobody' then you should be worried.

Dave

Last edited by ilikejam; 04-27-2005 at 06:25 AM.
 
Old 04-27-2005, 06:23 AM   #3
merana
Member
 
Registered: May 2002
Location: Philly/So. Jersey
Distribution: ESXi CentOS Red-Hat Ubuntuu Solaris Debian
Posts: 85

Original Poster
Rep: Reputation: 15
Wicked! Thanks for the look-over Dave!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Syslog, where is this entry coming from? exim? boyd98 Debian 1 04-05-2005 01:46 PM
Odd entry in my Apache logs pembo13 Linux - Security 5 08-04-2004 07:33 AM
odd entry in /etc/passwd file globeTrotter Linux - Security 4 07-21-2004 09:27 PM
hosts entry for a lan unit with no dns entry linxtc Linux - Networking 1 10-03-2003 08:05 AM
Odd Log Entry mikeyt_333 Linux - General 0 06-12-2002 04:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration