Am So, den 03.10.2004 schrieb Julian Underwood um 17:12:
su: Sessions Opened: (uid=0) -> julian: 2 Time(s) (uid=0) -> cyrus: 1 Time(s) (uid=0) -> news: 1 Time(s) julian(uid=500) -> root: 1 Time(s)
It also looks like the attacker was successful in logging in as cyrus and news. Is this possible? Could this be potentially damaging to my system? Or is this something normal which I am overlooking?
From what do you conclude that the attacker logged in as cyrus and news? I would think it was you as root doing so by running "su - $username". (One time su'ing from julian to root.) The logwatch entries point to su actions. If it wasn't you, then switch off the machine from net, as a foreign person has root control over the host.
These su sessions could be administrative tasks performed by crontab jobs. Look in /etc/cron.*/ and also the output from "crontab -l", e.g.
egrep 'news|cyrus' /etc/cron.*/* crontab -l | egrep 'news|cyrus'
You can check /var/log/cron* for cron executions too.
-- Marina Buitrago Bravo Servicio de Informática y Comunicaciones Universidad de Sevilla "El tiempo no es importante, sólo la vida es importante."
