***: portertech has joined #arpnetworks
LT has joined #arpnetworks
Ehtyar has quit IRC (Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.)
toddf has quit IRC (Ping timeout: 260 seconds)
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf -: up_the_irons looks around ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer -: mhoran looks at up_the_irons
up_the_irons looks back at mhoran
up_the_irons is watching TED up_the_irons: an interesting one: http://www.ted.com/talks/daniel_schnitzer_inventing_is_the_easy_part.html mhoran: Interesting. ***: heavysixer has quit IRC (Read error: Connection reset by peer)
mick_laptop has joined #arpnetworks mick_laptop: anyone know wth this could be:
Apr 5 06:40:23 www su[26316]: Successful su for nobody by root
Apr 5 06:40:23 www su[26316]: + ??? root:nobody
the last time that I remember doing anything was: [Apr 4 15:40:28]
and I've never su'ed from root to nobody
w doesn't shpow anyone but me logged in
up_the_irons: you didn't happen to be doing something w/ the vps ~1 hr ago? LT: some services might have a su to nobody in the init script to drop privs? anything running as nobody? mick_laptop: ah... hmm, let me look into this
thanks LT jpalmer: if the su to drop privs, they are doing it wrong. I'd be getting rid of that service immediately. mick_laptop: # ps -u nobody PID TTY TIME CMD
nothing LT: heh, I never said they were well written init scripts... I think amavis or clam or something like that used to do it though jpalmer: ahh, never liked amavis or clamav. that knowledge just reinforces that I was right a few years ago :P mick_laptop: hmm, I looked at asterisk (which has been running for a few days) - the init script doesn't look to be doing that
hmmm LT: could be a cron job as well... maybe worth grepping for nobody over all of /etc
hmm, what OS are you running on the VPS? mick_laptop: debian LT: http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.2.4 mick_laptop: http://pastebin.com/raw.php?i=3NHv9aKM
LT: I don't see matches for that
oh the other does match
yay!
grep 25 /etc/crontab
:D
thanks a lot LT
shitty feeling to wake up to an IDS message about: su -
when you weren't awake :) LT: hate to break it to you but the grep for 25 in the manual is checking the time matches the log timestamp...
look at the cron logs and see if it was doing anything at 6:40 mick_laptop: # grep 25 /etc/crontab
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) LT: ah... could still be running at 6:40 then yeah
particularly if it's that locate job... mick_laptop: # cat /var/log/syslog | grep cron
Apr 5 07:00:01 www /USR/SBIN/CRON[26430]: (root) CMD ( test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; })
Apr 5 07:17:01 www /USR/SBIN/CRON[27524]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
nothing at that time though, the rotated log just has: Apr 5 06:25:01 www /USR/SBIN/CRON[24631]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )) LT: pretty sure it's cron then - your grep shows that the locate cron job runs as nobody, and you know the crons started at 6:25 mick_laptop: thanks a lot ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
LT has quit IRC (Quit: Leaving)
HighJinx has quit IRC (Quit: Computer has gone to sleep.)
HighJinx has joined #arpnetworks
heavysixer has quit IRC (Read error: Connection reset by peer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
webhostbudd has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
webhostbudd has quit IRC (Quit: Leaving.)
Ehtyar has joined #arpnetworks
hive-mind has quit IRC (Changing host)
hive-mind has joined #arpnetworks
hive-mind has quit IRC (Quit: leaving)
hive-mind has joined #arpnetworks
ninor has quit IRC (Read error: Connection timed out)
amdprophet has quit IRC (Quit: Leaving...)
ninor has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
HighJinx has quit IRC (Quit: Computer has gone to sleep.)
HighJinx has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
amdprophet has joined #arpnetworks
meingtsla has quit IRC (Quit: Leaving)
meingtsla has joined #arpnetworks
Ehtyar has quit IRC (Remote host closed the connection)