could you help interpret my logs?
mlm at loanprocessing.net
Sun Oct 3 21:46:45 UTC 2004
----- Original Message -----
From: "Julian Underwood" <mailings at underwoods.net>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Sunday, October 03, 2004 2:42 PM
Subject: Re: could you help interpret my logs?
> On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote:
> > Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
> > > Well I know someone was trying to gain access to my FC 2 server:
> > A known person?
> > > su:
> > > Sessions Opened:
> > > (uid=0) -> julian: 2 Time(s)
> > > (uid=0) -> cyrus: 1 Time(s)
> > > (uid=0) -> news: 1 Time(s)
> > > julian(uid=500) -> root: 1 Time(s)
> > >
> > From what do you conclude that the attacker logged in as cyrus and news?
> > I would think it was you as root doing so by running "su - $username".
> > (One time su'ing from julian to root.) The logwatch entries point to su
> > actions. If it wasn't you, then switch off the machine from net, as a
> > foreign person has root control over the host.
> The only account I 'su' to is root. I know I could figure out this one
> by Googling, but while I'm still typing--does the cyrus or news account
> have passwords, or are they disabled from login? What do the middle two
> entries above indicate?
Those news and cyrus logins are from batch jobs that run during the day. Check your
/etc/cron.daily directory for details.
Hope this helps,
More information about the users