SECURITY information for vps.domain.com, user NOT in sudoers

[mvandemar]

My client has gotten a few of these emails now with this warning:

vps.domain.com : Jan 2 04:59:04 : username : user NOT in sudoers ; TTY=unknown ; PWD=/home/username ; USER=root ; COMMAND=/sbin/sysctl kernel.nmi_watchdog=0

I ssh'd in and the last ssh prior to that was back in August (based on the `last` command), no ftp activity, nothing in .bash_history (I checked both root and the user in question), and i scanned the site on this account and see no signs of any back doors or other suspicious activity. Any ideas on what could cause this?

-Michael

 

[cPRex]

Hey there! Usually this notification happens when the user tries to execute something with sudo but doesn't have the correct permission to do so. Is it possible they tried to upgrade something, or maybe set up a cron? It's hard to say exactly what triggered the notification from that information, but it's possible that /var/log/secure would provide more details about this.