Security question regarding root email

Charles Howse chowse at charter.net
Sun Jan 1 15:05:55 UTC 2006 

> I haven't read root's email in about a month. Now that I get around to
> it, I am suprised to see things that I have never seen before, such
> as:
>  --------------------- pam_unix Begin ------------------------
>  kde-np:
>     Unknown Entries:
>        session opened for user dotancohen by (uid=0): 1 Time(s)
>  ---------------------- pam_unix End -------------------------
For the above, I would find out what kde-np is.  What little Googling I did
suggests it's a script that provides auto-login for some other application.
Might not be anything to worry about.
You're seeing it here because LogWatch hasn't been told to ignore it.

>  --------------------- Smartd Begin ------------------------
>  **Unmatched Entries**
>  smartd received signal 15: Terminated
>  smartd is exiting (exit status 0)
>  ---------------------- Smartd End -------------------------
Smartd monitors the SMART status of your drives.
Looks like LogWatch is just showing you that Smartd was terminated with a
signal 15 once, and quit cleanly once, possibly on shutdown.
For more info: $ man smartd

>  --------------------- httpd Begin ------------------------
>  Requests with error response codes
>     404 Not Found
>        /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1
> Time(s)
>        /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1
> Time(s)
Can't see the entire lines above, but if your Apache server faces the
Internet, take the appropriate precautions.  It's not so much the 404's you
want to monitor, it's the stuff that worked...the commands that actually
executed, know what I mean?
>        /favicon.ico: 32 Time(s)
Easy, Google for favicon.ico

>  --------------------- httpd Begin ------------------------
>  Requests with error response codes
>     403 Forbidden
>        /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1
> Time(s)
>        /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1
> Time(s)
Someone, or 'somebot', doesn't have permission to access the file indicated.

> These are the most suspicious. If anyone could crarify on them a bit,
> i would appreciate it. Thank you!

Doesn't look like you have anything to panic about, but you have some
research to do.  :-)

HTH,
Charles
 

More information about the users mailing list