<!-- Some styling for better description lists --><style type='text/css'>dt { font-weight: bold;float: left;display:inline;margin-right: 1em} dd { display:block; margin-left: 2em}</style>

   ***: portertech has joined #arpnetworks
   <br> LT has joined #arpnetworks
   <br> Ehtyar has quit IRC (Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.)
   <br> toddf has quit IRC (Ping timeout: 260 seconds)
   <br> toddf has joined #arpnetworks
   <br> ChanServ sets mode: +o toddf
   -: up_the_irons looks around
   ***: heavysixer has joined #arpnetworks
   <br> ChanServ sets mode: +o heavysixer
   -: mhoran looks at up_the_irons
   <br> up_the_irons looks back at mhoran
   <br> up_the_irons is watching TED
   up_the_irons: an interesting one: http://www.ted.com/talks/daniel_schnitzer_inventing_is_the_easy_part.html
   mhoran: Interesting.
   ***: heavysixer has quit IRC (Read error: Connection reset by peer)
   <br> mick_laptop has joined #arpnetworks
   mick_laptop: anyone know wth this could be:
   <br> Apr  5 06:40:23 www su[26316]: Successful su for nobody by root
   <br> Apr  5 06:40:23 www su[26316]: + ??? root:nobody
   <br> the last time that I remember doing anything was: [Apr  4 15:40:28]
   <br> and I've never su'ed from root to nobody
   <br> w doesn't shpow anyone but me logged in
   <br> <u>up_the_irons</u>: you didn't happen to be doing something w/ the vps ~1 hr ago?
   LT: some services might have a su to nobody in the init script to drop privs? anything running as nobody?
   mick_laptop: ah... hmm, let me look into this
   <br> thanks LT
   jpalmer: if the su to drop privs,  they are doing it wrong.   I'd be getting rid of that service immediately.
   mick_laptop: # ps -u nobody PID TTY          TIME CMD
   <br> nothing
   LT: heh, I never said they were well written init scripts... I think amavis or clam or something like that used to do it though
   jpalmer: ahh,  never liked amavis or clamav.  that knowledge just reinforces that I was right a few years ago :P
   mick_laptop: hmm, I looked at asterisk (which has been running for a few days) - the init script doesn't look to be doing that
   <br> hmmm
   LT: could be a cron job as well... maybe worth grepping for nobody over all of /etc
   <br> hmm, what OS are you running on the VPS?
   mick_laptop: debian
   LT: http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.2.4
   mick_laptop: http://pastebin.com/raw.php?i=3NHv9aKM
   <br> <u>LT</u>: I don't see matches for that
   <br> oh the other does match
   <br> yay!
   <br> grep 25 /etc/crontab
   <br> :D
   <br> thanks a lot LT
   <br> shitty feeling to wake up to an IDS message about: su -
   <br> when you weren't awake :)
   LT: hate to break it to you but the grep for 25 in the manual is checking the time matches the log timestamp...
   <br> look at the cron logs and see if it was doing anything at 6:40
   mick_laptop: # grep 25 /etc/crontab
   <br> 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / &amp;&amp; run-parts --report /etc/cron.daily )
   LT: ah... could still be running at 6:40 then yeah
   <br> particularly if it's that locate job...
   mick_laptop: # cat /var/log/syslog | grep cron
   <br> Apr  5 07:00:01 www /USR/SBIN/CRON[26430]: (root) CMD (   test -x /usr/sbin/tigercron &amp;&amp; { [ -r "$DEFAULT" ] &amp;&amp; . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; })
   <br> Apr  5 07:17:01 www /USR/SBIN/CRON[27524]: (root) CMD (   cd / &amp;&amp; run-parts --report /etc/cron.hourly)
   <br> nothing at that time though, the rotated log just has: Apr  5 06:25:01 www /USR/SBIN/CRON[24631]: (root) CMD (test -x /usr/sbin/anacron || ( cd / &amp;&amp; run-parts --report /etc/cron.daily ))
   LT: pretty sure it's cron then - your grep shows that the locate cron job runs as nobody, and you know the crons started at 6:25
   mick_laptop: thanks a lot
   ***: heavysixer has joined #arpnetworks
   <br> ChanServ sets mode: +o heavysixer
   <br> LT has quit IRC (Quit: Leaving)
   <br> HighJinx has quit IRC (Quit: Computer has gone to sleep.)
   <br> HighJinx has joined #arpnetworks
   <br> heavysixer has quit IRC (Read error: Connection reset by peer)
   <br> heavysixer has joined #arpnetworks
   <br> ChanServ sets mode: +o heavysixer
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> webhostbudd has joined #arpnetworks
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> webhostbudd has quit IRC (Quit: Leaving.)
   <br> Ehtyar has joined #arpnetworks
   <br> hive-mind has quit IRC (Changing host)
   <br> hive-mind has joined #arpnetworks
   <br> hive-mind has quit IRC (Quit: leaving)
   <br> hive-mind has joined #arpnetworks
   <br> ninor has quit IRC (Read error: Connection timed out)
   <br> amdprophet has quit IRC (Quit: Leaving...)
   <br> ninor has joined #arpnetworks
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> HighJinx has quit IRC (Remote host closed the connection)
   <br> HighJinx has joined #arpnetworks
   <br> HighJinx has quit IRC (Quit: Computer has gone to sleep.)
   <br> HighJinx has joined #arpnetworks
   <br> heavysixer has quit IRC (Quit: heavysixer)
   <br> amdprophet has joined #arpnetworks
   <br> meingtsla has quit IRC (Quit: Leaving)
   <br> meingtsla has joined #arpnetworks
   <br> Ehtyar has quit IRC (Remote host closed the connection)