[00:35] *** portertech has quit IRC (Remote host closed the connection) [00:35] *** portertech has joined #arpnetworks [00:50] *** LT has joined #arpnetworks [01:35] *** Ehtyar has quit IRC (Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.) [02:06] *** toddf has quit IRC (Ping timeout: 260 seconds) [02:14] *** toddf has joined #arpnetworks [02:14] *** ChanServ sets mode: +o toddf [02:27] * up_the_irons looks around [05:27] *** heavysixer has joined #arpnetworks [05:27] *** ChanServ sets mode: +o heavysixer [06:26] * mhoran looks at up_the_irons [06:36] * up_the_irons looks back at mhoran [06:36] * up_the_irons is watching TED [06:37] an interesting one: http://www.ted.com/talks/daniel_schnitzer_inventing_is_the_easy_part.html [06:40] Interesting. [07:08] *** heavysixer has quit IRC (Read error: Connection reset by peer) [07:17] *** mick_laptop has joined #arpnetworks [07:18] anyone know wth this could be: [07:18] Apr 5 06:40:23 www su[26316]: Successful su for nobody by root [07:18] Apr 5 06:40:23 www su[26316]: + ??? root:nobody [07:18] the last time that I remember doing anything was: [Apr 4 15:40:28] [07:19] and I've never su'ed from root to nobody [07:24] w doesn't shpow anyone but me logged in [07:24] up_the_irons: you didn't happen to be doing something w/ the vps ~1 hr ago? [07:26] some services might have a su to nobody in the init script to drop privs? anything running as nobody? [07:28] ah... hmm, let me look into this [07:28] thanks LT [07:29] if the su to drop privs, they are doing it wrong. I'd be getting rid of that service immediately. [07:30] # ps -u nobody PID TTY TIME CMD [07:30] nothing [07:31] heh, I never said they were well written init scripts... I think amavis or clam or something like that used to do it though [07:32] ahh, never liked amavis or clamav. that knowledge just reinforces that I was right a few years ago :P [07:36] hmm, I looked at asterisk (which has been running for a few days) - the init script doesn't look to be doing that [07:36] hmmm [07:38] could be a cron job as well... maybe worth grepping for nobody over all of /etc [07:38] hmm, what OS are you running on the VPS? [07:40] debian [07:42] http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.2.4 [07:43] http://pastebin.com/raw.php?i=3NHv9aKM [07:44] LT: I don't see matches for that [07:45] oh the other does match [07:45] yay! [07:46] grep 25 /etc/crontab [07:46] :D [07:46] thanks a lot LT [07:46] shitty feeling to wake up to an IDS message about: su - [07:46] when you weren't awake :) [07:47] hate to break it to you but the grep for 25 in the manual is checking the time matches the log timestamp... [07:48] look at the cron logs and see if it was doing anything at 6:40 [07:48] # grep 25 /etc/crontab [07:48] 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) [07:49] ah... could still be running at 6:40 then yeah [07:49] particularly if it's that locate job... [07:51] # cat /var/log/syslog | grep cron [07:51] Apr 5 07:00:01 www /USR/SBIN/CRON[26430]: (root) CMD ( test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }) [07:51] Apr 5 07:17:01 www /USR/SBIN/CRON[27524]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) [07:53] nothing at that time though, the rotated log just has: Apr 5 06:25:01 www /USR/SBIN/CRON[24631]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )) [08:00] pretty sure it's cron then - your grep shows that the locate cron job runs as nobody, and you know the crons started at 6:25 [08:01] thanks a lot [08:04] *** heavysixer has joined #arpnetworks [08:04] *** ChanServ sets mode: +o heavysixer [09:09] *** LT has quit IRC (Quit: Leaving) [09:22] *** HighJinx has quit IRC (Quit: Computer has gone to sleep.) [09:55] *** HighJinx has joined #arpnetworks [11:10] *** heavysixer has quit IRC (Read error: Connection reset by peer) [11:11] *** heavysixer has joined #arpnetworks [11:11] *** ChanServ sets mode: +o heavysixer [12:00] *** HighJinx has quit IRC (Remote host closed the connection) [12:00] *** HighJinx has joined #arpnetworks [12:01] *** HighJinx has quit IRC (Remote host closed the connection) [12:01] *** HighJinx has joined #arpnetworks [14:36] *** HighJinx has quit IRC (Remote host closed the connection) [14:36] *** HighJinx has joined #arpnetworks [14:41] *** webhostbudd has joined #arpnetworks [15:41] *** HighJinx has quit IRC (Remote host closed the connection) [15:41] *** HighJinx has joined #arpnetworks [15:49] *** webhostbudd has quit IRC (Quit: Leaving.) [15:58] *** Ehtyar has joined #arpnetworks [16:11] *** hive-mind has quit IRC (Changing host) [16:11] *** hive-mind has joined #arpnetworks [16:22] *** hive-mind has quit IRC (Quit: leaving) [16:24] *** hive-mind has joined #arpnetworks [17:21] *** ninor has quit IRC (Read error: Connection timed out) [17:21] *** amdprophet has quit IRC (Quit: Leaving...) [17:22] *** ninor has joined #arpnetworks [18:00] *** HighJinx has quit IRC (Remote host closed the connection) [18:01] *** HighJinx has joined #arpnetworks [18:12] *** HighJinx has quit IRC (Remote host closed the connection) [18:13] *** HighJinx has joined #arpnetworks [18:51] *** HighJinx has quit IRC (Quit: Computer has gone to sleep.) [19:44] *** HighJinx has joined #arpnetworks [19:48] *** heavysixer has quit IRC (Quit: heavysixer) [20:00] *** amdprophet has joined #arpnetworks [20:01] *** meingtsla has quit IRC (Quit: Leaving) [20:02] *** meingtsla has joined #arpnetworks [20:11] *** Ehtyar has quit IRC (Remote host closed the connection)