Results 1 to 7 of 7

Thread: su[11313]: + ??? root:nobody -- compromise?

  1. #1
    Join Date
    Aug 2007
    Location
    Paris
    Beans
    5,538
    Distro
    Ubuntu 11.04 Natty Narwhal

    su[11313]: + ??? root:nobody -- compromise?

    OSSEC sent a report that /var/auth.log contains the following lines from a few hours ago:

    Code:
    May  3 08:40:43 my-desktop su[11313]: + ??? root:nobody
    
    May  3 08:40:43 my-desktop su[11313]: pam_unix(su:session): session opened for user nobody by (uid=0)
    I am pretty worried about this. Who is user nobody and why would he have gotten root access to my machine? I've read some threads that say that this can related to cron jobs running, but I don't have any cron jobs scheduled to run at the time that the login occurred.

    I have my ssh and http ports open to the Internet, but OSSEC shuts down brute force attacks and I use strong passwords. Should I be worried that my system has somehow been compromised? rkhunter and chkrootkit don't find any rootkits; is there anything else I should look for?

  2. #2
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: su[11313]: + ??? root:nobody -- compromise?

    Quote Originally Posted by pytheas22 View Post
    OSSEC sent a report that /var/auth.log contains the following lines from a few hours ago:

    Code:
    May  3 08:40:43 my-desktop su[11313]: + ??? root:nobody
    
    May  3 08:40:43 my-desktop su[11313]: pam_unix(su:session): session opened for user nobody by (uid=0)
    I am pretty worried about this. Who is user nobody and why would he have gotten root access to my machine? I've read some threads that say that this can related to cron jobs running, but I don't have any cron jobs scheduled to run at the time that the login occurred.

    I have my ssh and http ports open to the Internet, but OSSEC shuts down brute force attacks and I use strong passwords. Should I be worried that my system has somehow been compromised? rkhunter and chkrootkit don't find any rootkits; is there anything else I should look for?
    Nothing to worry about. nobody is a user on your machine. She pops into mine at about 6:25 and does a bit of housekeeping. Rotating logs, updating the locate database etc. Have a look in /etc to see what you have scheduled for 08:40.
    Brian.

  3. #3
    Join Date
    Aug 2007
    Location
    Paris
    Beans
    5,538
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: su[11313]: + ??? root:nobody -- compromise?

    Nothing to worry about. nobody is a user on your machine. She pops into mine at about 6:25 and does a bit of housekeeping. Rotating logs, updating the locate database etc. Have a look in /etc to see what you have scheduled for 08:40.
    Thanks for the response. This is reassuring, but I am still wondering why I've never seen a warning like this until today. I've been running OSSEC on several Ubuntu machines for a while (although it's only since last weekend that one of them runs Hardy) and this is the first time I've gotten warned about nobody. Also, as the output below indicates, I have no cronjobs scheduled for 8:40. Can I still be confident that there's no problem?

    Code:
    $ cat /etc/crontab
    # /etc/crontab: system-wide crontab
    # Unlike any other crontab you don't have to run the `crontab'
    # command to install the new version when you edit this file
    # and files in /etc/cron.d. These files also have username fields,
    # that none of the other crontabs do.
    
    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    
    # m h dom mon dow user	command
    17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
    25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    05 00 * * * root /var/ossec/bin/ossec-control restart
    #

  4. #4
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: su[11313]: + ??? root:nobody -- compromise?

    Quote Originally Posted by pytheas22 View Post
    Thanks for the response. This is reassuring, but I am still wondering why I've never seen a warning like this until today. I've been running OSSEC on several Ubuntu machines for a while (although it's only since last weekend that one of them runs Hardy) and this is the first time I've gotten warned about nobody. Also, as the output below indicates, I have no cronjobs scheduled for 8:40. Can I still be confident that there's no problem?
    OSSEC is not something I'm familiar with so can't help you with the time disparity. Have look for nobody in /var/log/auth.log and also see /etc/updatedb.conf. I still think there is no problem.
    Brian.

  5. #5
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,020
    Distro
    Xubuntu 15.10 Wily Werewolf

    Re: su[11313]: + ??? root:nobody -- compromise?

    FYI: The nobody account is an account with few privileges that is used by some daemons as a safety measure. As an example, OpenVPN changes to user nobody after it has finished starting so that if the daemon were to be compromised by a malformed packet exploiting a vulnerability, it still couldn't make the daemon cause any system damage. The daemon starts as root, opens the few resources it really needs and then in effect, throws away the keys. In this case I don't fully understand the log messages, but it does look like something started with root privilege and then changed to nobody, which is the direction a good daemon would be going in.

    It's odd that OSSEC picked it up though - it has never picked that up on any of the Ubuntu servers I run it on.

  6. #6
    Join Date
    May 2008
    Location
    Idaho
    Beans
    7
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: su[11313]: + ??? root:nobody -- compromise?

    I remember the first time I saw this on one of the servers I managed after an upgrade and I thought that I had been hacked. So needless to say you are not the only one who has thought that.

  7. #7
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: su[11313]: + ??? root:nobody -- compromise?

    If you have not seen it before the job was probably part of cron.monthly. Check the scripts in /etc/cron.monthly

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •