#arpnetworks 2012-04-05,Thu

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)
WhoWhatWhen
***portertech has quit IRC (Remote host closed the connection)
portertech has joined #arpnetworks 		[00:35]
.... (idle for 15mn)
LT has joined #arpnetworks [00:50]
.......... (idle for 45mn)
Ehtyar has quit IRC (Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.) [01:35]
....... (idle for 31mn)
toddf has quit IRC (Ping timeout: 260 seconds) [02:06]
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf 		[02:14]
up_the_ironsup_the_irons looks around [02:27]
..................................... (idle for 3h0mn)
***heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[05:27]
............ (idle for 59mn)
mhoranmhoran looks at up_the_irons [06:26]
up_the_ironsup_the_irons looks back at mhoran
up_the_irons is watching TED
an interesting one: http://www.ted.com/talks/daniel_schnitzer_inventing_is_the_easy_part.html 		[06:36]
mhoranInteresting. [06:40]
...... (idle for 28mn)
***heavysixer has quit IRC (Read error: Connection reset by peer) [07:08]
mick_laptop has joined #arpnetworks [07:17]
mick_laptopanyone know wth this could be:
Apr 5 06:40:23 www su[26316]: Successful su for nobody by root
Apr 5 06:40:23 www su[26316]: + ??? root:nobody
the last time that I remember doing anything was: [Apr 4 15:40:28]
and I've never su'ed from root to nobody 		[07:18]
w doesn't shpow anyone but me logged in
up_the_irons: you didn't happen to be doing something w/ the vps ~1 hr ago? 		[07:24]
LTsome services might have a su to nobody in the init script to drop privs? anything running as nobody? [07:26]
mick_laptopah... hmm, let me look into this
thanks LT 		[07:28]
jpalmerif the su to drop privs, they are doing it wrong. I'd be getting rid of that service immediately. [07:29]
mick_laptop# ps -u nobody PID TTY TIME CMD
nothing 		[07:30]
LTheh, I never said they were well written init scripts... I think amavis or clam or something like that used to do it though [07:31]
jpalmerahh, never liked amavis or clamav. that knowledge just reinforces that I was right a few years ago :P [07:32]
mick_laptophmm, I looked at asterisk (which has been running for a few days) - the init script doesn't look to be doing that
hmmm 		[07:36]
LTcould be a cron job as well... maybe worth grepping for nobody over all of /etc
hmm, what OS are you running on the VPS? 		[07:38]
mick_laptopdebian [07:40]
LThttp://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.2.4 [07:42]
mick_laptophttp://pastebin.com/raw.php?i=3NHv9aKM
LT: I don't see matches for that
oh the other does match
yay!
grep 25 /etc/crontab
:D
thanks a lot LT
shitty feeling to wake up to an IDS message about: su -
when you weren't awake :) 		[07:43]
LThate to break it to you but the grep for 25 in the manual is checking the time matches the log timestamp...
look at the cron logs and see if it was doing anything at 6:40 		[07:47]
mick_laptop# grep 25 /etc/crontab
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 		[07:48]
LTah... could still be running at 6:40 then yeah
particularly if it's that locate job... 		[07:49]
mick_laptop# cat /var/log/syslog | grep cron
Apr 5 07:00:01 www /USR/SBIN/CRON[26430]: (root) CMD ( test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; })
Apr 5 07:17:01 www /USR/SBIN/CRON[27524]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
nothing at that time though, the rotated log just has: Apr 5 06:25:01 www /USR/SBIN/CRON[24631]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )) 		[07:51]
LTpretty sure it's cron then - your grep shows that the locate cron job runs as nobody, and you know the crons started at 6:25 [08:00]
mick_laptopthanks a lot [08:01]
***heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[08:04]
.............. (idle for 1h5mn)
LT has quit IRC (Quit: Leaving) [09:09]
HighJinx has quit IRC (Quit: Computer has gone to sleep.) [09:22]
....... (idle for 33mn)
HighJinx has joined #arpnetworks [09:55]
................ (idle for 1h15mn)
heavysixer has quit IRC (Read error: Connection reset by peer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[11:10]
.......... (idle for 49mn)
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks 		[12:00]
................................ (idle for 2h35mn)
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks 		[14:36]
webhostbudd has joined #arpnetworks [14:41]
............. (idle for 1h0mn)
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks 		[15:41]
webhostbudd has quit IRC (Quit: Leaving.) [15:49]
Ehtyar has joined #arpnetworks [15:58]
hive-mind has quit IRC (Changing host)
hive-mind has joined #arpnetworks 		[16:11]
hive-mind has quit IRC (Quit: leaving)
hive-mind has joined #arpnetworks 		[16:22]
............ (idle for 57mn)
ninor has quit IRC (Read error: Connection timed out)
amdprophet has quit IRC (Quit: Leaving...)
ninor has joined #arpnetworks 		[17:21]
........ (idle for 38mn)
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks 		[18:00]
HighJinx has quit IRC (Remote host closed the connection)
HighJinx has joined #arpnetworks 		[18:12]
........ (idle for 38mn)
HighJinx has quit IRC (Quit: Computer has gone to sleep.) [18:51]
........... (idle for 53mn)
HighJinx has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer) 		[19:44]
amdprophet has joined #arpnetworks
meingtsla has quit IRC (Quit: Leaving)
meingtsla has joined #arpnetworks 		[20:00]
Ehtyar has quit IRC (Remote host closed the connection) [20:11]
↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)