SECURITY information for vps.domain.com, user NOT in sudoers

mvandemar

Well-Known Member
Jun 17, 2006
181
52
178
My client has gotten a few of these emails now with this warning:

Code:
vps.domain.com : Jan 2 04:59:04 : username : user NOT in sudoers ; TTY=unknown ; PWD=/home/username ; USER=root ; COMMAND=/sbin/sysctl kernel.nmi_watchdog=0
I ssh'd in and the last ssh prior to that was back in August (based on the `last` command), no ftp activity, nothing in .bash_history (I checked both root and the user in question), and i scanned the site on this account and see no signs of any back doors or other suspicious activity. Any ideas on what could cause this?

-Michael
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,469
2,842
363
cPanel Access Level
Root Administrator
Hey there! Usually this notification happens when the user tries to execute something with sudo but doesn't have the correct permission to do so. Is it possible they tried to upgrade something, or maybe set up a cron? It's hard to say exactly what triggered the notification from that information, but it's possible that /var/log/secure would provide more details about this.