----- Original Message ----- From: "Julian Underwood" <mailings@xxxxxxxxxxxxxx> To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx> Sent: Sunday, October 03, 2004 2:42 PM Subject: Re: could you help interpret my logs? > On Sun, 2004-10-03 at 12:44, Alexander Dalloz wrote: > > Am So, den 03.10.2004 schrieb Julian Underwood um 17:12: > > > > > Well I know someone was trying to gain access to my FC 2 server: > > > > A known person? > > No. > > > > > > su: > > > Sessions Opened: > > > (uid=0) -> julian: 2 Time(s) > > > (uid=0) -> cyrus: 1 Time(s) > > > (uid=0) -> news: 1 Time(s) > > > julian(uid=500) -> root: 1 Time(s) > > > > > > > > From what do you conclude that the attacker logged in as cyrus and news? > > I would think it was you as root doing so by running "su - $username". > > (One time su'ing from julian to root.) The logwatch entries point to su > > actions. If it wasn't you, then switch off the machine from net, as a > > foreign person has root control over the host. > > The only account I 'su' to is root. I know I could figure out this one > by Googling, but while I'm still typing--does the cyrus or news account > have passwords, or are they disabled from login? What do the middle two > entries above indicate? > > > Thanks, > > Julian > Those news and cyrus logins are from batch jobs that run during the day. Check your /etc/cron.daily directory for details. Hope this helps, Mike
