Break-in?

[Adam Getchell <acgetchell ucdavis edu>]

Hello all,

I've asked this question before but I think it bears repeating.

I have some unusual events in my system log during odd hours of the night.
It has repeated every night. Two nights ago I shut my box off for the
night. Last night, it reappeared.

Last night was the first time I had syslogd events, but I'm suspecting
trouble. I've taken this box off the network for right now, but if someone
would please advise (2nd and 3rd opinions welcome) if I should reinstall.

I've checked accounts to see if I have any unusual accounts, but I don't.
Of course, I might have a bad binary -- does someone have details on how
big, etc. linux config or adduser should be? (I know better now to put
tripwire on first thing).

Thanks,

System Log
----------
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Mar  8 04:02:02 <machine> syslogd 1.3-3: restart.
Mar  8 04:02:03 <machine> syslogd 1.3-3: restart.
Mar  8 04:02:03 <machine> syslogd 1.3-3: restart.
Mar  8 04:02:04 <machine> syslogd 1.3-3: restart.
Mar  8 04:02:07 <machine> PAM_pwdb[1355]: (su) session opened for user
nobody by (uid=99)
Mar  8 04:03:37 <machine> PAM_pwdb[1355]: (su) session closed for user nobody
Mar  8 04:46:29 <machine> named[299]: Cleaned cache of 0 RRs
Mar  8 04:46:29 <machine> named[299]: USAGE 920897189 920835989
CPU=0.02u/0.01s CHILDCPU=0u/0s
Mar  8 04:46:29 <machine> named[299]: NSTATS 920897189 920835989
Mar  8 04:46:29 <machine> named[299]: XSTATS 920897189 920835989 RR=1
RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0
SSysQ=1 SAns=0 SFwdQ=0 SDupQ=0 SErr=0 RQ=0 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0
SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0

--Adam

acgetchell ucdavis edu
"Invincibility is in oneself, vulnerability in the opponent." --Sun Tzu