Security question regarding root email
John Summerfied
debian at herakles.homelinux.org
Sun Jan 1 17:50:03 UTC 2006
Dotan Cohen wrote:
> I haven't read root's email in about a month. Now that I get around to
> it, I am suprised to see things that I have never seen before, such
> as:
> --------------------- pam_unix Begin ------------------------
> kde-np:
> Unknown Entries:
> session opened for user dotancohen by (uid=0): 1 Time(s)
> ---------------------- pam_unix End -------------------------
>
> --------------------- Smartd Begin ------------------------
> **Unmatched Entries**
> smartd received signal 15: Terminated
> smartd is exiting (exit status 0)
> ---------------------- Smartd End -------------------------
>
> --------------------- Selinux Audit Begin ------------------------
> Number of audit daemon starts: 1
> Number of audit daemon stops: 2
> *** Logs which could mean a bug ***
> major=252 name_count=0: freeing multiple contexts (1)
> major=113 name_count=0: freeing multiple contexts (2)
> ---------------------- Selinux Audit End -------------------------
>
> --------------------- SSHD Begin ------------------------
> SSHD Killed: 1 Time(s)
> SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
> ---------------------- SSHD End -------------------------
>
> --------------------- httpd Begin ------------------------
> Requests with error response codes
> 404 Not Found
> /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
> /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> /favicon.ico: 32 Time(s)
> /javascript/HM_Arrays.js: 1 Time(s)
> /javascript/HM_ScriptDOM.js: 1 Time(s)
> /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
> /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> ---------------------- httpd End -------------------------
>
> --------------------- pam_unix Begin ------------------------
> kde:
> Unknown Entries:
> session closed for user dotancohen: 3 Time(s)
> session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.
> kde-np:
> Unknown Entries:
> session closed for user dotancohen: 3 Time(s)
> session opened for user dotancohen by (uid=0): 2 Time(s)
More, similar.
> su:
> Sessions Opened:
> (uid=500) -> root: 3 Time(s)
You becoming root/
> system-config-display:
Maybe you reconfigured your display?
> Unknown Entries:
> auth could not identify password for [root]: 1 Time(s)
> ---------------------- pam_unix End -------------------------
>
> --------------------- httpd Begin ------------------------
> Requests with error response codes
> 403 Forbidden
> /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
Some versions of awstats let the ungodly in. If you're not current you
may have a problem,
> 404 Not Found
> /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
> /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
> /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
this looks like php bb stuff, some versions of which let the ungodly in.
> /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /blog/xmlrpc.php: 2 Time(s)
> /blog/xmlsrv/xmlrpc.php: 2 Time(s)
> /blogs/xmlsrv/xmlrpc.php: 2 Time(s)
> /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
> /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> /drupal/xmlrpc.php: 2 Time(s)
> /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
> /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
> /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
> /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
> /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> /phpgroupware/xmlrpc.php: 2 Time(s)
One hopes you're in the rquisite lists for phpgroupware. I know it's
big, you need to keep an eye out for problems and their fixes.
> /wordpress/xmlrpc.php: 2 Time(s)
> /xmlrpc.php: 4 Time(s)
> /xmlrpc/xmlrpc.php: 2 Time(s)
> /xmlsrv/xmlrpc.php: 2 Time(s)
> ---------------------- httpd End -------------------------
>
> --------------------- pam_unix Begin ------------------------
> kde-np:
> Unknown Entries:
> session closed for user dotancohen: 2 Time(s)
> session opened for user dotancohen by (uid=0): 1 Time(s)
This looks to me like you logging out.
> su:
> Sessions Opened:
> (uid=500) -> root: 3 Time(s)
this looks like you becoming root three times.
> ---------------------- pam_unix End -------------------------
>
> These are the most suspicious. If anyone could crarify on them a bit,
> i would appreciate it. Thank you!
>
> Dotan Cohen
> http://technology-sleuth.com/index.php
Hmm.
> %^
>
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the fedora-list
mailing list