-   Linux - Security (
-   -   Possible Hack? (

sbscomp 02-14-2001 03:03 PM

I'm running SuSE 6.4, and in my logs I noticed some entries like this:


instead of a regular syslog entry. I have also noticed a remote connection to my X server by nobody@nowhere.

I am running a firewall, and as far as I know, the only items allowed through are ftp-data and DNS.

Am I missing something? Or do I need to do something to secure a port I don't have secure? This machine is a workstation on a mainly windows network, so that is the reason I am running X (gnome) on it.

I am willing to dig and/or get my hands dirty here...

jeremy 02-14-2001 05:06 PM

By default syslogd will print --MARK-- every 20 minutes. This is so you know it hasn't died. If you do not want this then start syslogd with a -m0.

sbscomp 02-14-2001 10:57 PM

Yep, checked it out on my server here at home, and there's a bunch of --MARK--'s :)

Now, what kind of processes su to root from user nobody. My server here at home has them as well, and I *know* that it can't have gotten hacked - internal network. That was the part that really had me worried. (Or is there still a possibility that I was hacked?)

What started it all was that just before I got my firewall up and running, I couldn't log on to the system through gdm. If I took it off the network and rebooted, everything was fine. So I made sure the firewall was online and changed my password to something long and difficult to crack (although, being on a T1 at work makes it kind of easy for someone with enough time). That fixed the problem, but I noticed this stuff from "nobody", even though nobody has a /bin/false login shell.

cawaker 02-15-2001 04:00 PM

re: nobody
the user nobody is usually apache and its processes it runs as the user "nobody" so it doesnt have to run as root, but it still need root access.(i think)(:

All times are GMT -5. The time now is 01:24 PM.