这些日志条目是否记录了对服务器的入侵?

这些日志条目是否记录了对服务器的入侵?

以下是我在 auth.log 中找到的日志条目。+ ???是什么意思?是否存在未经授权的访问?

Feb 11 07:48:32 tts-server su[31265]: Successful su for www-data by root
Feb 11 07:48:32 tts-server su[31265]: + ??? root:www-data
Feb 11 07:48:32 tts-server su[31265]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 11 07:48:32 tts-server su[31265]: pam_unix(su:session): session closed for user www-data
Feb 11 07:48:32 tts-server su[31275]: Successful su for www-data by root
Feb 11 07:48:32 tts-server su[31275]: + ??? root:www-data
Feb 11 07:48:32 tts-server su[31275]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 11 07:48:32 tts-server su[31275]: pam_unix(su:session): session closed for user www-data
Feb 12 09:46:27 tts-server su[11208]: Successful su for www-data by root
Feb 12 09:46:27 tts-server su[11208]: + ??? root:www-data
Feb 12 09:46:27 tts-server su[11208]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 12 09:46:27 tts-server su[11208]: pam_unix(su:session): session closed for user www-data
Feb 12 09:46:27 tts-server su[11222]: Successful su for www-data by root
Feb 12 09:46:27 tts-server su[11222]: + ??? root:www-data
Feb 12 09:46:27 tts-server su[11222]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 12 09:46:27 tts-server su[11222]: pam_unix(su:session): session closed for user www-data
Feb 13 12:25:41 tts-server su[22032]: Successful su for www-data by root
Feb 13 12:25:41 tts-server su[22032]: + ??? root:www-data
Feb 13 12:25:41 tts-server su[22032]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 13 12:25:41 tts-server su[22032]: pam_unix(su:session): session closed for user www-data
Feb 13 12:25:41 tts-server su[22043]: Successful su for www-data by root
Feb 13 12:25:41 tts-server su[22043]: + ??? root:www-data
Feb 13 12:25:41 tts-server su[22043]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 13 12:25:41 tts-server su[22043]: pam_unix(su:session): session closed for user www-data

答案1

这些可能来自 cron 作业。来自Securing Debian Manual. Chapter 11 - Frequently asked Questions (FAQ)

11.2.3 我发现用户在我的日志中执行‘su’:我被入侵了吗?

您可能会在日志中发现类似以下行:

 Apr  1 09:25:01 server su[30315]: + ??? root-nobody
 Apr  1 09:25:01 server PAM_unix[30315]: (su) 
   session opened for user nobody by (uid=0)

不要太担心,检查一下这是否是由于通过 cron 运行的作业造成的(通常是 /etc/cron.daily/find 或 logrotate):

$ grep 25 /etc/crontab
25 6    * * *   root    test -e /usr/sbin/anacron || run-parts --report
/etc/cron.daily
$ grep nobody /etc/cron.daily/*
find:cd / && updatedb --localuser=nobody 2>/dev/null

相关内容