netlook

Well-Known Member
Mar 25, 2004
334
0
166
Hi,

I saw something strange in todays logwatch e-mail:

under pam_unix I had:

sudo:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=nobody:
40 Time(s)

Can you tell me please what it could be?

Thanks
 

netlook

Well-Known Member
Mar 25, 2004
334
0
166
Hi, Thanks for reply.

I checked all domlogs for this command everytime it was used, but I don't see anything special - there are no suspicious processes on my server.

I run apache as nobody, but I don't see any constantly running process on my server. Also I have run chrootkit and rkhunter - the were no alerts at all.

Could you have any idea how to track this script? Maybe I should put anything in mod_security rules??

Any idea would be appreciated.

Thanks
 

netlook

Well-Known Member
Mar 25, 2004
334
0
166
Hi, I found that just before sudo(pam_..... there is mod_dosevasive executed, everytime for different site. I think this sudo.... command is related to mod_dosevasive.

What do you think?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
34
473
Go on, have a guess
What do you have in your mod_dosevasive settings in httpd.conf? You've probably got something setup in there that you don't want using sudo.
 

netlook

Well-Known Member
Mar 25, 2004
334
0
166
You're right!

I have:

DOSSystemCommand "sudo /usr/local/sbin/apf -d %s"

Removing it solved the problem.

Thanks