an interesting one: http://www.ted.com/talks/daniel_schnitzer_inventing_is_the_easy_part.html
Interesting.
anyone know wth this could be:
Apr  5 06:40:23 www su[26316]: Successful su for nobody by root
Apr  5 06:40:23 www su[26316]: + ??? root:nobody
the last time that I remember doing anything was: [Apr  4 15:40:28]
and I've never su'ed from root to nobody
w doesn't shpow anyone but me logged in
up_the_irons: you didn't happen to be doing something w/ the vps ~1 hr ago?
some services might have a su to nobody in the init script to drop privs? anything running as nobody?
ah... hmm, let me look into this
thanks LT
if the su to drop privs,  they are doing it wrong.   I'd be getting rid of that service immediately.
# ps -u nobody PID TTY          TIME CMD
nothing
heh, I never said they were well written init scripts... I think amavis or clam or something like that used to do it though
ahh,  never liked amavis or clamav.  that knowledge just reinforces that I was right a few years ago :P
hmm, I looked at asterisk (which has been running for a few days) - the init script doesn't look to be doing that
hmmm
could be a cron job as well... maybe worth grepping for nobody over all of /etc
hmm, what OS are you running on the VPS?
debian
http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.2.4
http://pastebin.com/raw.php?i=3NHv9aKM
LT: I don't see matches for that
oh the other does match
yay!
grep 25 /etc/crontab
:D
thanks a lot LT
shitty feeling to wake up to an IDS message about: su -
when you weren't awake :)
hate to break it to you but the grep for 25 in the manual is checking the time matches the log timestamp...
look at the cron logs and see if it was doing anything at 6:40
# grep 25 /etc/crontab
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
ah... could still be running at 6:40 then yeah
particularly if it's that locate job...
# cat /var/log/syslog | grep cron
Apr  5 07:00:01 www /USR/SBIN/CRON[26430]: (root) CMD (   test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; })
Apr  5 07:17:01 www /USR/SBIN/CRON[27524]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
nothing at that time though, the rotated log just has: Apr  5 06:25:01 www /USR/SBIN/CRON[24631]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
pretty sure it's cron then - your grep shows that the locate cron job runs as nobody, and you know the crons started at 6:25
thanks a lot