root:nobody in logs - Security

This is a discussion on root:nobody in logs - Security ; Hi What do you think abot it? [/var/log/auth.log] Sep 13 05:15:01 serv CRON[6665]: (pam_unix) session opened for user root by (uid=0) Sep 13 05:15:01 serv su[6686]: + ??? root:nobody Sep 13 05:15:01 serv su[6686]: (pam_unix) session opened for user nobody ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: root:nobody in logs

  1. root:nobody in logs

    Hi

    What do you think abot it?




    [/var/log/auth.log]

    Sep 13 05:15:01 serv CRON[6665]: (pam_unix) session opened for user root by
    (uid=0)

    Sep 13 05:15:01 serv su[6686]: + ??? root:nobody

    Sep 13 05:15:01 serv su[6686]: (pam_unix) session opened for user nobody by
    (uid=0)

    Sep 13 05:15:05 serv CRON[6665]: (pam_unix) session closed for user root



    [/var/log/messages]

    Sep 13 04:41:48 serv kernel: New not syn:IN=eth1 OUT=
    MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=60.xx.xx.xx
    DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=7224 PROTO=TCP SPT=80
    DPT=64585 WINDOW=16384 RES=0x00 ACK SYN URGP=0

    Sep 13 05:15:05 router syslogd 1.4.1#17: restart.



  2. Re: root:nobody in logs

    On 14.09.2006, n0m3n wrote:
    > Hi
    >
    > What do you think abot it?


    We think that you should wait for answer on polish newsgroup first
    before posting the same article to an english group. Some of us read
    in both languages, if you haven't noticed yet.

    > [/var/log/auth.log]
    >
    > Sep 13 05:15:01 serv CRON[6665]: (pam_unix) session opened for user root by
    > (uid=0)
    >
    > Sep 13 05:15:01 serv su[6686]: + ??? root:nobody
    >
    > Sep 13 05:15:01 serv su[6686]: (pam_unix) session opened for user nobody by
    > (uid=0)
    >
    > Sep 13 05:15:05 serv CRON[6665]: (pam_unix) session closed for user root


    And what are we supposed to think about it?

    > [/var/log/messages]
    >
    > Sep 13 04:41:48 serv kernel: New not syn:IN=eth1 OUT=
    > MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=60.xx.xx.xx
    > DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=7224 PROTO=TCP SPT=80
    > DPT=64585 WINDOW=16384 RES=0x00 ACK SYN URGP=0
    >
    > Sep 13 05:15:05 router syslogd 1.4.1#17: restart.



    --
    Niektórzy lubi± dozziego...
    Oczywi¶cie szanujemy ich.
    Stanislaw Klekot

  3. Re: root:nobody in logs

    n0m3n wrote:
    > Hi
    >
    > What do you think abot it?
    >
    >
    >
    >
    > [/var/log/auth.log]
    >
    > Sep 13 05:15:01 serv CRON[6665]: (pam_unix) session opened for user root by
    > (uid=0)
    >
    > Sep 13 05:15:01 serv su[6686]: + ??? root:nobody
    >
    > Sep 13 05:15:01 serv su[6686]: (pam_unix) session opened for user nobody by
    > (uid=0)
    >
    > Sep 13 05:15:05 serv CRON[6665]: (pam_unix) session closed for user root
    >
    >
    >
    > [/var/log/messages]
    >
    > Sep 13 04:41:48 serv kernel: New not syn:IN=eth1 OUT=
    > MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=60.xx.xx.xx
    > DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=7224 PROTO=TCP SPT=80
    > DPT=64585 WINDOW=16384 RES=0x00 ACK SYN URGP=0
    >
    > Sep 13 05:15:05 router syslogd 1.4.1#17: restart.


    So CRON restarts your logging daemon at 5:15am. Try looking at
    /etc/crontab or, if your system uses it;
    /etc/cron.d
    /etc/cron.daily
    /etc/cron.weekly
    /etc/cron.monthly

    In short, cron runs as root (it has to), but it will drop privileges
    unless it needs to run higher. In your case, it appears to be doing the
    grunt work as "nobody" then going back to root and restarting syslogd.

    It looks very harmless to me.

    Cheers,

    James

+ Reply to Thread