could you help interpret my logs?

Mike McMullen mlm at loanprocessing.net
Sun Oct 3 21:46:45 UTC 2004


----- Original Message ----- 
From: "Julian Underwood" <mailings at underwoods.net>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Sunday, October 03, 2004 2:42 PM
Subject: Re: could you help interpret my logs?


> On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote:
> > Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
> > 
> > > Well I know someone was trying to gain access to my FC 2 server:
> > 
> > A known person?
> 
> No.
> 
> > 
> > > su:
> > >    Sessions Opened:
> > >       (uid=0) -> julian: 2 Time(s)
> > >       (uid=0) -> cyrus: 1 Time(s)
> > >       (uid=0) -> news: 1 Time(s)
> > >       julian(uid=500) -> root: 1 Time(s)
> > > 
> 
> > 
> > From what do you conclude that the attacker logged in as cyrus and news?
> > I would think it was you as root doing so by running "su - $username".
> > (One time su'ing from julian to root.) The logwatch entries point to su
> > actions. If it wasn't you, then switch off the machine from net, as a
> > foreign person has root control over the host.
> 
> The only account I 'su' to is root.  I know I could figure out this one
> by Googling, but while I'm still typing--does the cyrus or news account
> have passwords, or are they disabled from login?  What do the middle two
> entries above indicate?
> 
> 
> Thanks,
> 
> Julian
> 

Those news and cyrus logins are from batch jobs that run during the day. Check your
/etc/cron.daily directory for details.

Hope this helps,

Mike





More information about the fedora-list mailing list