On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote: > Am So, den 03.10.2004 schrieb Julian Underwood um 17:12: > > > Well I know someone was trying to gain access to my FC 2 server: > > A known person? No. > > > su: > > Sessions Opened: > > (uid=0) -> julian: 2 Time(s) > > (uid=0) -> cyrus: 1 Time(s) > > (uid=0) -> news: 1 Time(s) > > julian(uid=500) -> root: 1 Time(s) > > > > From what do you conclude that the attacker logged in as cyrus and news? > I would think it was you as root doing so by running "su - $username". > (One time su'ing from julian to root.) The logwatch entries point to su > actions. If it wasn't you, then switch off the machine from net, as a > foreign person has root control over the host. The only account I 'su' to is root. I know I could figure out this one by Googling, but while I'm still typing--does the cyrus or news account have passwords, or are they disabled from login? What do the middle two entries above indicate? Thanks, Julian
