could you help interpret my logs?
buitrago at us.es
buitrago at us.es
Tue Oct 5 09:30:51 UTC 2004
On Sun, 03 Oct 2004 18:44:03 +0200, Alexander Dalloz
<alexander.dalloz at uni-bielefeld.de> wrote:
> Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
>
>> su:
>> Sessions Opened:
>> (uid=0) -> julian: 2 Time(s)
>> (uid=0) -> cyrus: 1 Time(s)
>> (uid=0) -> news: 1 Time(s)
>> julian(uid=500) -> root: 1 Time(s)
>>
>> It also looks like the attacker was successful in logging in as cyrus
>> and news. Is this possible? Could this be potentially damaging to my
>> system? Or is this something normal which I am overlooking?
>
> From what do you conclude that the attacker logged in as cyrus and news?
> I would think it was you as root doing so by running "su - $username".
> (One time su'ing from julian to root.) The logwatch entries point to su
> actions. If it wasn't you, then switch off the machine from net, as a
> foreign person has root control over the host.
>
These su sessions could be administrative tasks performed by crontab jobs.
Look in /etc/cron.*/ and also the output from "crontab -l", e.g.
egrep 'news|cyrus' /etc/cron.*/*
crontab -l | egrep 'news|cyrus'
You can check /var/log/cron* for cron executions too.
--
Marina Buitrago Bravo
Servicio de Informática y Comunicaciones
Universidad de Sevilla
"El tiempo no es importante, sólo la vida es importante."
More information about the fedora-list
mailing list