今天查看日志,发现:
Oct 8 06:25:04 ibmtc su[12644]: Successful su for nobody by root
Oct 8 06:25:04 ibmtc su[12644]: + ??? root:nobody
Oct 8 06:25:04 ibmtc su[12644]: (pam_unix) session opened for user nobody by (uid=0)
Oct 8 06:25:04 ibmtc su[12644]: (pam_unix) session closed for user nobody
Oct 8 06:25:04 ibmtc su[12646]: Successful su for nobody by root
Oct 8 06:25:04 ibmtc su[12646]: + ??? root:nobody
Oct 8 06:25:04 ibmtc su[12646]: (pam_unix) session opened for user nobody by (uid=0)
Oct 8 06:25:04 ibmtc su[12646]: (pam_unix) session closed for user nobody
Oct 8 06:25:04 ibmtc su[12648]: Successful su for nobody by root
Oct 8 06:25:04 ibmtc su[12648]: + ??? root:nobody
Oct 8 06:25:04 ibmtc su[12648]: (pam_unix) session opened for user nobody by (uid=0)
每天6:25都会有nobody到root的su操作,是不是被人入侵了。
Google了一下,发现是crontab的问题
ibmtc:/var/log# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
老外的一些解释:
the "su" lines are just cron jobs (the giveaway is the timestamps).
nobody is a system user that is used to run services e.g. apache and
samba on Linux distros. Root has to start the service and then pass on
control to the user "nobody".
还有一段关于/sbin/false和/dev/null的比较论述:
It should also be noted that there is a difference between having the
shell as /bin/false or /bin/nologin and having the shell as /dev/null.
For example, set each of those as the shell for a test user, then
attempt to login through SSH on each one. With a shell of /dev/null, an
attacker could not be certain whether the attempted user exists on the
system -- not the case where /bin/false or /bin/nologin is the shell.
用/dev/null是攻击者不能够确定用户是否在系统上存在。
阅读(2999) | 评论(0) | 转发(0) |