strange log entries

Discussion in 'Server Operation' started by danielvm, Dec 25, 2007.

  1. danielvm

    danielvm New Member

    Hi everyone, i have a server runing postfix with ldap and squirrelmail, spamassassin, amavisd-new, clamav. I have installed logwatch and i'm seeing some logs entries and i'm not sure why this is happening and how to fix it

    auth.log:
    everything seen to be working well but i want solve this and i don't know where or what to look.. :confused:

    thanks

    PD: i'm using Debian ETCH
     
    Last edited: Dec 25, 2007
  2. chipsafts

    chipsafts New Member

    looks like you have someone using your web server to try to do something which requires super user rights.
    Which web server are you using?
     
  3. danielvm

    danielvm New Member

    Hi, i'm using apache2, my users doens't have shell access, i have this entry in my ldap

    loginShell: /bin/false

    this is what logwatch report to me by email:

     
  4. chipsafts

    chipsafts New Member

    if it was me, I would find the log entries for this www-data in the messages/security log and block the IP address that is trying to run it.
     
  5. danielvm

    danielvm New Member

    Hi, i don't have any ip, the entry i post here is the exactly the entry in my auth.log, the only thing i change was my server name, the entries are this:

    as you can see in the rhost there is no ip address, what other help can you give me?

    thanks
     
  6. falko

    falko Super Moderator ISPConfig Developer

    As chipsafts said, I think someone is trying to run the sudo command through one of your web applications. So now you must test your web applications if it's possible to pass commands on to the system.
    If you're using PHP, you should enable PHP Safe Mode.
     
  7. chipsafts

    chipsafts New Member

    Look in your other logs for the same datetime stamp.
    i'd check the messages and apache logs first.
     
  8. danielvm

    danielvm New Member

    Thanks everyone, i didn't find anything interesting with the same timestamp, i have uninstalled sudo because i'm not using sudo at the moment and for now i don't get that odds entry in my logs anymore

    thanks to all for the help i'll post if i find something else later...
     

Share This Page