forum.excito.org

Bubba community forum
https://forum.excito.org/

Suspicios activities??

https://forum.excito.org/viewtopic.php?t=1393

Page 2 of 2

Posted: 10 Dec 2008, 02:42
by MartinHageras
Didn't see your reply before. Thanks for the help!
/Martin

Posted: 18 Feb 2009, 07:19
by cgl72
Does anyone know what this is in my auth.log?
Feb 16 06:25:41 bubba su[11098]: Successful su for nobody by root
Feb 16 06:25:41 bubba su[11098]: + ??? root:nobody
Feb 16 06:25:41 bubba su[11098]: (pam_unix) session opened for user nobody by (uid=0)
Feb 16 06:25:41 bubba su[11098]: (pam_unix) session closed for user nobody
Feb 16 06:25:41 bubba su[11100]: Successful su for nobody by root
Feb 16 06:25:41 bubba su[11100]: + ??? root:nobody
Feb 16 06:25:41 bubba su[11100]: (pam_unix) session opened for user nobody by (uid=0)
Feb 16 06:25:41 bubba su[11100]: (pam_unix) session closed for user nobody
Feb 16 06:25:42 bubba su[11102]: Successful su for nobody by root
Feb 16 06:25:42 bubba su[11102]: + ??? root:nobody
Feb 16 06:25:42 bubba su[11102]: (pam_unix) session opened for user nobody by (uid=0)
Feb 16 06:25:46 bubba CRON[11068]: (pam_unix) session closed for user root
Feb 16 06:26:12 bubba su[11102]: (pam_unix) session closed for user nobody
Feb 16 06:26:23 bubba CRON[11064]: (pam_unix) session closed for user root
Feb 16 06:30:38 bubba CRON[11234]: (pam_unix) session opened for user root by (uid=0)
I have the usual CRON every 5-10 minutes all day. But what is that "successfull su for nobody by root"?

Christian

the coroners toolkit (tct)

Posted: 04 Mar 2009, 03:19
by zander
hi,

does anyone here use tct (the coroners toolkit)? i have read that it it 'the' item for linux cyber forensics but it must be installed prior to the intrusion.

does anyone have any experience with it?

should i install it?

zander
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited