Hi everyone, i have a server runing postfix with ldap and squirrelmail, spamassassin, amavisd-new, clamav. I have installed logwatch and i'm seeing some logs entries and i'm not sure why this is happening and how to fix it auth.log: everything seen to be working well but i want solve this and i don't know where or what to look.. thanks PD: i'm using Debian ETCH
looks like you have someone using your web server to try to do something which requires super user rights. Which web server are you using?
Hi, i'm using apache2, my users doens't have shell access, i have this entry in my ldap loginShell: /bin/false this is what logwatch report to me by email:
if it was me, I would find the log entries for this www-data in the messages/security log and block the IP address that is trying to run it.
Hi, i don't have any ip, the entry i post here is the exactly the entry in my auth.log, the only thing i change was my server name, the entries are this: as you can see in the rhost there is no ip address, what other help can you give me? thanks
As chipsafts said, I think someone is trying to run the sudo command through one of your web applications. So now you must test your web applications if it's possible to pass commands on to the system. If you're using PHP, you should enable PHP Safe Mode.
Thanks everyone, i didn't find anything interesting with the same timestamp, i have uninstalled sudo because i'm not using sudo at the moment and for now i don't get that odds entry in my logs anymore thanks to all for the help i'll post if i find something else later...