Security question regarding root email
Dotan Cohen
dotancohen at gmail.com
Mon Jan 2 07:43:40 UTC 2006
On 1/1/06, John Summerfied <debian at herakles.homelinux.org> wrote:
> Dotan Cohen wrote:
> > I haven't read root's email in about a month. Now that I get around to
> > it, I am suprised to see things that I have never seen before, such
> > as:
> > --------------------- pam_unix Begin ------------------------
> > kde-np:
> > Unknown Entries:
> > session opened for user dotancohen by (uid=0): 1 Time(s)
> > ---------------------- pam_unix End -------------------------
> >
> > --------------------- Smartd Begin ------------------------
> > **Unmatched Entries**
> > smartd received signal 15: Terminated
> > smartd is exiting (exit status 0)
> > ---------------------- Smartd End -------------------------
> >
> > --------------------- Selinux Audit Begin ------------------------
> > Number of audit daemon starts: 1
> > Number of audit daemon stops: 2
> > *** Logs which could mean a bug ***
> > major=252 name_count=0: freeing multiple contexts (1)
> > major=113 name_count=0: freeing multiple contexts (2)
> > ---------------------- Selinux Audit End -------------------------
> >
> > --------------------- SSHD Begin ------------------------
> > SSHD Killed: 1 Time(s)
> > SSHD Started: 1 Time(s)
> Normal restart stuff here and in some other places.
>
Do you mean that this is logged when the computer restarts? Because I
have never restarted SSH.
> > ---------------------- SSHD End -------------------------
> >
> > --------------------- httpd Begin ------------------------
> > Requests with error response codes
> > 404 Not Found
> > /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
> > /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> > /favicon.ico: 32 Time(s)
> > /javascript/HM_Arrays.js: 1 Time(s)
> > /javascript/HM_ScriptDOM.js: 1 Time(s)
> > /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
> > /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> > ---------------------- httpd End -------------------------
> >
> > --------------------- pam_unix Begin ------------------------
> > kde:
> > Unknown Entries:
> > session closed for user dotancohen: 3 Time(s)
> > session opened for user dotancohen by (uid=0): 3 Time(s)
> This looks like you logging in and out three times.
>
Should that concern me if I don' think that I had EVER logged out and
then back in? This is a one-man box.
> > kde-np:
> > Unknown Entries:
> > session closed for user dotancohen: 3 Time(s)
> > session opened for user dotancohen by (uid=0): 2 Time(s)
> More, similar.
> > su:
> > Sessions Opened:
> > (uid=500) -> root: 3 Time(s)
> You becoming root/
> > system-config-display:
> Maybe you reconfigured your display?
Nope. I'm glad that I don't need to!
> > Unknown Entries:
> > auth could not identify password for [root]: 1 Time(s)
> > ---------------------- pam_unix End -------------------------
> >
> > --------------------- httpd Begin ------------------------
> > Requests with error response codes
> > 403 Forbidden
> > /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> > /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
>
> Some versions of awstats let the ungodly in. If you're not current you
> may have a problem,
>
>
At least here I feel safe- no third party php software on the system.
Just my own home-brewed stuff. Assuming that is secure...
> > 404 Not Found
> > /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
> > /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
> > /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
>
> this looks like php bb stuff, some versions of which let the ungodly in.
>
>
> > /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> > /blog/xmlrpc.php: 2 Time(s)
> > /blog/xmlsrv/xmlrpc.php: 2 Time(s)
> > /blogs/xmlsrv/xmlrpc.php: 2 Time(s)
> > /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
> > /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> > /drupal/xmlrpc.php: 2 Time(s)
> > /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
> > /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
> > /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
> > /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
> > /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
> > /phpgroupware/xmlrpc.php: 2 Time(s)
>
> One hopes you're in the rquisite lists for phpgroupware. I know it's
> big, you need to keep an eye out for problems and their fixes.
>
>
> > /wordpress/xmlrpc.php: 2 Time(s)
> > /xmlrpc.php: 4 Time(s)
> > /xmlrpc/xmlrpc.php: 2 Time(s)
> > /xmlsrv/xmlrpc.php: 2 Time(s)
> > ---------------------- httpd End -------------------------
> >
> > --------------------- pam_unix Begin ------------------------
> > kde-np:
> > Unknown Entries:
> > session closed for user dotancohen: 2 Time(s)
> > session opened for user dotancohen by (uid=0): 1 Time(s)
> This looks to me like you logging out.
I don't do that. One man-box.
>
> > su:
> > Sessions Opened:
> > (uid=500) -> root: 3 Time(s)
> this looks like you becoming root three times.
>
That is possible.
> > ---------------------- pam_unix End -------------------------
> >
> > These are the most suspicious. If anyone could crarify on them a bit,
> > i would appreciate it. Thank you!
> >
> > Dotan Cohen
> > http://technology-sleuth.com/index.php
> Hmm.
>
>
> > %^
> >
> Cheers
> John
>
Thanks. I do appreciate the explanations, and the time you invest.
Dotan Cohen
http://technology-sleuth.com/question/what_is_a_cellphone.html
\\
More information about the fedora-list
mailing list