Re: [suse-security] Strange entry in message-log?

[Sven 'Darkman' Michels <sven@xxxxxxxxxx>]

Albl, Thomas wrote:
> Hi,
>
> sorry I'm not very used with the entries in the message-log, though I can't
> identify, if the following lines are harmless (because the system has done
> something for which it uses root rights) or dangerous (because someone has
> hacked the box an got root rights for the user nobody)
>
> Jul  3 00:15:12 www PAM-unix2[4780]: session started for user nobody,
> service su
> Jul  3 00:16:54 www PAM-unix2[4780]: session finished for user nobody,
> service su
>
>
> The Linux-Box runs SuSE-Linux 7.2 Kernel 2.4.7 - it denies connections other
> from our router (i hope so) and runs apache 1.3.26, tomcat 4.0.2, php 4.0.1.
>
> Can anyone help with a hint?

with that old box you should really care about updates. did you run
fou4s or so lately? (and a kernel update maybe, 2.4.7 has local root
exploits (ptrace). But back to your question: these entrys are generated
by a daily cronjob (updatedb etc.) and is started every night at 0:15.
So it's nothing really unusual and you can relax with that :)

Regards,
Sven



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here