RE: possible hacker?

[Alan Mead <adm ipat com>]

>Sorry, I should have been more clear.  I should have asked, why is
>it restarting the syslogd 4 times in two minutes and what's the session
>for user nobody?  Is there a way to trace the activity of user "nobody"
>during that session?

Well, I believe syslog is restarting four times in a second or two because
of instructions in '/etc/logrotate.d/syslog' consulted because of
'/etc/cron.daily/logrotate'.  I'm not sure about nobody, maybe doing the
'/etc/update.cron'?  I don't know how Linux orders the runs in the cron.*
directories.  Maybe someone will verbally trace this process for you better
than I can..  I don't think there is a way to track su any more than any
other user unless you find the scripts launching the process and put
comments into them to be echoed into syslog.  Of course, once you'd gone to
that trouble, wouldn't seem to be needed (for you anyway).

-Alan
---
Alan D. Mead  /  Research Scientist  /  adm ipat com
Institute for Personality and Ability Testing
1801 Woodfield Dr  /  Savoy IL 61874 USA
217-352-4739 (v)  /  217-352-9674 (f)