Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5760647
  • 博文数量: 675
  • 博客积分: 20301
  • 博客等级: 上将
  • 技术积分: 7671
  • 用 户 组: 普通用户
  • 注册时间: 2005-12-31 16:15
文章分类

全部博文(675)

文章存档

2012年(1)

2011年(20)

2010年(14)

2009年(63)

2008年(118)

2007年(141)

2006年(318)

分类: LINUX

2007-10-12 15:47:57

今天查看日志,发现:
Oct  8 06:25:04 ibmtc su[12644]: Successful su for nobody by root
Oct  8 06:25:04 ibmtc su[12644]: + ??? root:nobody
Oct  8 06:25:04 ibmtc su[12644]: (pam_unix) session opened for user nobody by (uid=0)
Oct  8 06:25:04 ibmtc su[12644]: (pam_unix) session closed for user nobody
Oct  8 06:25:04 ibmtc su[12646]: Successful su for nobody by root
Oct  8 06:25:04 ibmtc su[12646]: + ??? root:nobody
Oct  8 06:25:04 ibmtc su[12646]: (pam_unix) session opened for user nobody by (uid=0)
Oct  8 06:25:04 ibmtc su[12646]: (pam_unix) session closed for user nobody
Oct  8 06:25:04 ibmtc su[12648]: Successful su for nobody by root
Oct  8 06:25:04 ibmtc su[12648]: + ??? root:nobody
Oct  8 06:25:04 ibmtc su[12648]: (pam_unix) session opened for user nobody by (uid=0)

每天6:25都会有nobody到root的su操作,是不是被人入侵了。
Google了一下,发现是crontab的问题
ibmtc:/var/log# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

老外的一些解释:
the "su" lines are just cron jobs (the giveaway is the timestamps).
nobody is a system user that is used to run services e.g. apache and samba on Linux distros. Root has to start the service and then pass on control to the user "nobody".

还有一段关于/sbin/false和/dev/null的比较论述:
It should also be noted that there is a difference between having the shell as /bin/false or /bin/nologin and having the shell as /dev/null. For example, set each of those as the shell for a test user, then attempt to login through SSH on each one. With a shell of /dev/null, an attacker could not be certain whether the attempted user exists on the system -- not the case where /bin/false or /bin/nologin is the shell.

用/dev/null是攻击者不能够确定用户是否在系统上存在。

阅读(2999) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~