On 1/1/06, John Summerfied <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Dotan Cohen wrote: > > I haven't read root's email in about a month. Now that I get around to > > it, I am suprised to see things that I have never seen before, such > > as: > > --------------------- pam_unix Begin ------------------------ > > kde-np: > > Unknown Entries: > > session opened for user dotancohen by (uid=0): 1 Time(s) > > ---------------------- pam_unix End ------------------------- > > > > --------------------- Smartd Begin ------------------------ > > **Unmatched Entries** > > smartd received signal 15: Terminated > > smartd is exiting (exit status 0) > > ---------------------- Smartd End ------------------------- > > > > --------------------- Selinux Audit Begin ------------------------ > > Number of audit daemon starts: 1 > > Number of audit daemon stops: 2 > > *** Logs which could mean a bug *** > > major=252 name_count=0: freeing multiple contexts (1) > > major=113 name_count=0: freeing multiple contexts (2) > > ---------------------- Selinux Audit End ------------------------- > > > > --------------------- SSHD Begin ------------------------ > > SSHD Killed: 1 Time(s) > > SSHD Started: 1 Time(s) > Normal restart stuff here and in some other places. > Do you mean that this is logged when the computer restarts? Because I have never restarted SSH. > > ---------------------- SSHD End ------------------------- > > > > --------------------- httpd Begin ------------------------ > > Requests with error response codes > > 404 Not Found > > /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) > > /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) > > /favicon.ico: 32 Time(s) > > /javascript/HM_Arrays.js: 1 Time(s) > > /javascript/HM_ScriptDOM.js: 1 Time(s) > > /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) > > /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) > > ---------------------- httpd End ------------------------- > > > > --------------------- pam_unix Begin ------------------------ > > kde: > > Unknown Entries: > > session closed for user dotancohen: 3 Time(s) > > session opened for user dotancohen by (uid=0): 3 Time(s) > This looks like you logging in and out three times. > Should that concern me if I don' think that I had EVER logged out and then back in? This is a one-man box. > > kde-np: > > Unknown Entries: > > session closed for user dotancohen: 3 Time(s) > > session opened for user dotancohen by (uid=0): 2 Time(s) > More, similar. > > su: > > Sessions Opened: > > (uid=500) -> root: 3 Time(s) > You becoming root/ > > system-config-display: > Maybe you reconfigured your display? Nope. I'm glad that I don't need to! > > Unknown Entries: > > auth could not identify password for [root]: 1 Time(s) > > ---------------------- pam_unix End ------------------------- > > > > --------------------- httpd Begin ------------------------ > > Requests with error response codes > > 403 Forbidden > > /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) > > /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s) > > Some versions of awstats let the ungodly in. If you're not current you > may have a problem, > > At least here I feel safe- no third party php software on the system. Just my own home-brewed stuff. Assuming that is secure... > > 404 Not Found > > /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s) > > /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s) > > /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s) > > this looks like php bb stuff, some versions of which let the ungodly in. > > > > /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) > > /blog/xmlrpc.php: 2 Time(s) > > /blog/xmlsrv/xmlrpc.php: 2 Time(s) > > /blogs/xmlsrv/xmlrpc.php: 2 Time(s) > > /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) > > /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) > > /drupal/xmlrpc.php: 2 Time(s) > > /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) > > /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s) > > /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s) > > /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s) > > /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) > > /phpgroupware/xmlrpc.php: 2 Time(s) > > One hopes you're in the rquisite lists for phpgroupware. I know it's > big, you need to keep an eye out for problems and their fixes. > > > > /wordpress/xmlrpc.php: 2 Time(s) > > /xmlrpc.php: 4 Time(s) > > /xmlrpc/xmlrpc.php: 2 Time(s) > > /xmlsrv/xmlrpc.php: 2 Time(s) > > ---------------------- httpd End ------------------------- > > > > --------------------- pam_unix Begin ------------------------ > > kde-np: > > Unknown Entries: > > session closed for user dotancohen: 2 Time(s) > > session opened for user dotancohen by (uid=0): 1 Time(s) > This looks to me like you logging out. I don't do that. One man-box. > > > su: > > Sessions Opened: > > (uid=500) -> root: 3 Time(s) > this looks like you becoming root three times. > That is possible. > > ---------------------- pam_unix End ------------------------- > > > > These are the most suspicious. If anyone could crarify on them a bit, > > i would appreciate it. Thank you! > > > > Dotan Cohen > > http://technology-sleuth.com/index.php > Hmm. > > > > %^ > > > Cheers > John > Thanks. I do appreciate the explanations, and the time you invest. Dotan Cohen http://technology-sleuth.com/question/what_is_a_cellphone.html \\
