Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 1st January 2006, 01:37 PM
dotancohen Offline
Registered User
 
Join Date: Jan 2005
Location: Haifa
Age: 36
Posts: 51
root email concerns

I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as:
Code:
 --------------------- pam_unix Begin ------------------------
 kde-np:
    Unknown Entries:
       session opened for user dotancohen by (uid=0): 1 Time(s)
 ---------------------- pam_unix End -------------------------

 --------------------- Smartd Begin ------------------------
 **Unmatched Entries**
 smartd received signal 15: Terminated
 smartd is exiting (exit status 0)
 ---------------------- Smartd End -------------------------

 --------------------- Selinux Audit Begin ------------------------
  Number of audit daemon starts: 1
  Number of audit daemon stops: 2
 *** Logs which could mean a bug ***
    major=252 name_count=0: freeing multiple contexts (1)
    major=113 name_count=0: freeing multiple contexts (2)
 ---------------------- Selinux Audit End -------------------------

 --------------------- SSHD Begin ------------------------
 SSHD Killed: 1 Time(s)
 SSHD Started: 1 Time(s)
 ---------------------- SSHD End -------------------------

 --------------------- httpd Begin ------------------------
 Requests with error response codes
    404 Not Found
       /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
       /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /favicon.ico: 32 Time(s)
       /javascript/HM_Arrays.js: 1 Time(s)
       /javascript/HM_ScriptDOM.js: 1 Time(s)
       /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
       /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
 ---------------------- httpd End -------------------------

 --------------------- pam_unix Begin ------------------------
 kde:
    Unknown Entries:
       session closed for user dotancohen: 3 Time(s)
       session opened for user dotancohen by (uid=0): 3 Time(s)
 kde-np:
    Unknown Entries:
       session closed for user dotancohen: 3 Time(s)
       session opened for user dotancohen by (uid=0): 2 Time(s)
 su:
    Sessions Opened:
       (uid=500) -> root: 3 Time(s)
 system-config-display:
    Unknown Entries:
       auth could not identify password for [root]: 1 Time(s)
 ---------------------- pam_unix End -------------------------

 --------------------- httpd Begin ------------------------
 Requests with error response codes
    403 Forbidden
       /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
       /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
    404 Not Found
       /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
       /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
       /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
       /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
       /blog/xmlrpc.php: 2 Time(s)
       /blog/xmlsrv/xmlrpc.php: 2 Time(s)
       /blogs/xmlsrv/xmlrpc.php: 2 Time(s)
       /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
       /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /drupal/xmlrpc.php: 2 Time(s)
       /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
       /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
       /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
       /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
       /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /phpgroupware/xmlrpc.php: 2 Time(s)
       /wordpress/xmlrpc.php: 2 Time(s)
       /xmlrpc.php: 4 Time(s)
       /xmlrpc/xmlrpc.php: 2 Time(s)
       /xmlsrv/xmlrpc.php: 2 Time(s)
 ---------------------- httpd End -------------------------

 --------------------- pam_unix Begin ------------------------
 kde-np:
    Unknown Entries:
       session closed for user dotancohen: 2 Time(s)
       session opened for user dotancohen by (uid=0): 1 Time(s)
 su:
    Sessions Opened:
       (uid=500) -> root: 3 Time(s)
 ---------------------- pam_unix End -------------------------
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!

Dotan Cohen
http://technology-sleuth.com/technic...t_is_hdtv.html
Reply With Quote
  #2  
Old 1st January 2006, 02:36 PM
jim Offline
Retired Community Manager & Avid Drinker Of Suds
 
Join Date: Feb 2005
Location: Rochester NY
Age: 39
Posts: 4,175
These messges appear in my server as well

anytime there is a system change or a attempt to chage a file or dir a message gets sent to roots mail
Notrhing to be to concerned here now if it said " sshd from ip address as user XXX permission denied "and you see lines like that then you have concerns
__________________
Registered Linux User: #376813
Western NY
My linux site
Smolt Profile

please remember to say if you problem was solved

Did you get your id10t award today?
Reply With Quote
  #3  
Old 1st January 2006, 03:45 PM
Ergo12
Guest
 
Posts: n/a
Check mail regularly.

Not checked root's email for a month? That is VERY BAD. I would suggest you have a regular user (UID>500) receive root's email and so avoid logging in as root. Those reports are generated by logwatch.

It is important to check emails regularly, as hacker activity, problems in your system can be highlighted. What would you have done if you had noticed a root login from the other side of the world one month ago?
Reply With Quote
  #4  
Old 2nd January 2006, 07:56 AM
dotancohen Offline
Registered User
 
Join Date: Jan 2005
Location: Haifa
Age: 36
Posts: 51
Quote:
Originally Posted by Ergo12
Not checked root's email for a month? That is VERY BAD. I would suggest you have a regular user (UID>500) receive root's email and so avoid logging in as root. Those reports are generated by logwatch.

It is important to check emails regularly, as hacker activity, problems in your system can be highlighted. What would you have done if you had noticed a root login from the other side of the world one month ago?
I know, but I simply cannot give it higher priority in life than it now has. That may be irresponsible, but putting it above other matters would be even more irresponsible.

As for said (theoretical) root login from one month ago, I would format and reinstall. As I am on Fedora Core, which has a lifespan of half a year, I intend on doing this regularly. Backups, backups, backups!

Dotan Cohen
Reply With Quote
Reply

Tags
concerns, email, root

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Root Email tebbens Using Fedora 2 10th May 2006 02:14 AM
Can't check root email from squirrelmail kruser Using Fedora 1 30th June 2005 05:31 PM
Forwarding All Root Email twistymcgee Using Fedora 14 3rd February 2005 10:47 PM
Root email address ashleysnix Using Fedora 2 11th September 2004 04:45 AM


Current GMT-time: 01:44 (Friday, 01-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat