could you help interpret my logs?
Julian Underwood
mailings at underwoods.net
Sun Oct 3 21:42:23 UTC 2004
On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote:
> Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
>
> > Well I know someone was trying to gain access to my FC 2 server:
>
> A known person?
No.
>
> > su:
> > Sessions Opened:
> > (uid=0) -> julian: 2 Time(s)
> > (uid=0) -> cyrus: 1 Time(s)
> > (uid=0) -> news: 1 Time(s)
> > julian(uid=500) -> root: 1 Time(s)
> >
>
> From what do you conclude that the attacker logged in as cyrus and news?
> I would think it was you as root doing so by running "su - $username".
> (One time su'ing from julian to root.) The logwatch entries point to su
> actions. If it wasn't you, then switch off the machine from net, as a
> foreign person has root control over the host.
The only account I 'su' to is root. I know I could figure out this one
by Googling, but while I'm still typing--does the cyrus or news account
have passwords, or are they disabled from login? What do the middle two
entries above indicate?
Thanks,
Julian
More information about the users
mailing list