could you help interpret my logs?
Julian Underwood
mailings at underwoods.net
Sun Oct 3 21:42:23 UTC 2004
On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote:
> Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
>
> > Well I know someone was trying to gain access to my FC 2 server:
>
> A known person?
No.
>
> > su:
> > Sessions Opened:
> > (uid=0) -> julian: 2 Time(s)
> > (uid=0) -> cyrus: 1 Time(s)
> > (uid=0) -> news: 1 Time(s)
> > julian(uid=500) -> root: 1 Time(s)
> >
>
> From what do you conclude that the attacker logged in as cyrus and news?
> I would think it was you as root doing so by running "su - $username".
> (One time su'ing from julian to root.) The logwatch entries point to su
> actions. If it wasn't you, then switch off the machine from net, as a
> foreign person has root control over the host.
The only account I 'su' to is root. I know I could figure out this one
by Googling, but while I'm still typing--does the cyrus or news account
have passwords, or are they disabled from login? What do the middle two
entries above indicate?
Thanks,
Julian
More information about the fedora-list
mailing list