| Stephen Gran on 16 Jan 2005 01:08:09 -0000 |
|
On Sat, Jan 15, 2005 at 03:22:26AM -0500, Doug Crompton said: > I have noticed an entry in my log as follows... > > Jan 15 00:15:18 bridget su: (to root) root on none > Jan 15 00:15:18 bridget PAM-unix2[13849]: session started for user root, > service su > Jan 15 00:16:34 bridget PAM-unix2[13849]: session finished for user root, > service su > > These appear every day at exactly the same time. I have no crontab entry > for any jobs at this time. I checked back and it appears as far back as a > year ago, the last log I have. I ran 'chkrootkit' and it was clean. I > generally have the system pretty well locked up. Worrying about a possible > compromise. Any ideas? It is a daily cronjob, probably run from cron.daily, and probably updatedb. Take a look ate /etc/cron.daily/updatedb (or find - I forget) for a line that looks like: cd / && updatedb --localuser=root Give or take. -- -------------------------------------------------------------------------- | Stephen Gran | A foolish consistency is the hobgoblin | | steve@lobefin.net | of little minds. -- Ralph Waldo | | http://www.lobefin.net/~steve | Emerson | -------------------------------------------------------------------------- Attachment:
pgpyT5MNgwnXq.pgp ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|