The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sudo in LogWatch

Discussion in 'General Discussion' started by netlook, Aug 15, 2006.

  1. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I saw something strange in todays logwatch e-mail:

    under pam_unix I had:

    sudo:
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=nobody:
    40 Time(s)

    Can you tell me please what it could be?

    Thanks
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    looks like your server has been comprimised.

    sudo is the command you use to run functions under elevated priviledges, seeing as its being executed by nobody it would seem that you havea vunerable script on your server
     
  3. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Hi, Thanks for reply.

    I checked all domlogs for this command everytime it was used, but I don't see anything special - there are no suspicious processes on my server.

    I run apache as nobody, but I don't see any constantly running process on my server. Also I have run chrootkit and rkhunter - the were no alerts at all.

    Could you have any idea how to track this script? Maybe I should put anything in mod_security rules??

    Any idea would be appreciated.

    Thanks
     
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    is there anything suspicious in /tmp?

    can you post the output of ps aux as well
     
  5. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Hi, I found that just before sudo(pam_..... there is mod_dosevasive executed, everytime for different site. I think this sudo.... command is related to mod_dosevasive.

    What do you think?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What do you have in your mod_dosevasive settings in httpd.conf? You've probably got something setup in there that you don't want using sudo.
     
  7. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    You're right!

    I have:

    DOSSystemCommand "sudo /usr/local/sbin/apf -d %s"

    Removing it solved the problem.

    Thanks
     
Loading...

Share This Page