topic Re: su: tty+ in Operating System - HP-UX

su: tty+

yulianto piyut — Tue, 01 Jul 2008 11:45:35 GMT

all,

in sulog and syslog.log, there are many messages:
SU 07/01 19:55 + tty?? root-johan
SU 07/01 19:56 + tty?? root-johan
SU 07/01 19:57 + tty?? root-johan
SU 07/01 19:58 + tty?? root-johan
SU 07/01 19:59 + tty?? root-johan
SU 07/01 20:00 + tty?? root-johan
SU 07/01 20:01 + tty?? root-johan
SU 07/01 20:01 + tty?? root-apps11i
SU 07/01 20:02 + tty?? root-johan
SU 07/01 20:03 + tty?? root-johan
SU 07/01 20:04 + tty?? root-johan
SU 07/01 20:05 + tty?? root-johan

i have checked in cronjob and no script that run su to johan and apps11i.
anybody know about it?

Re: su: tty+

Oviwan — Tue, 01 Jul 2008 11:49:32 GMT

hi

to check who is on the server use:
who -u

and maybe you can find out who it is.

regards

Re: su: tty+

yulianto piyut — Tue, 01 Jul 2008 12:00:40 GMT

thx oviwan for your quick reply,

I have checked and only me that login to server.

Re: su: tty+

Oviwan — Tue, 01 Jul 2008 12:13:53 GMT

ask johan, maybe he knows more ;)

Re: su: tty+

Patrick Wallek — Tue, 01 Jul 2008 12:48:55 GMT

There's got to be a script somewhere that does this.

You should also check your 'at' jobs. Do an 'at -l' and see if anything shows up.

Re: su: tty+

TTr — Tue, 01 Jul 2008 14:32:45 GMT

Do the SU messages in syslog repeat forever or was this a one time, 11-minute occurence? There is (was) definitely a script running. It could be a simple script with an endless loop and a 60 second delay in it that runs the su commands. If it is still running, check the "ps" listing for suspects. In addition to cron and at, it may have been started by a "nohup" command or from a /sbin/init.d/ startup script or inittab.

Re: su: tty+

john korterman — Tue, 01 Jul 2008 14:41:45 GMT

It could probably also be an application running as root making "su"s. However, johan and appps11i must exist as users; check their home directories for log files and other interesting stuff.

regards,
John K.

Re: su: tty+

yulianto piyut — Wed, 02 Jul 2008 02:12:37 GMT

no output from "at -l" command. User johan & apps11i doesn't know the root password, only me and other sysadmin that know the root password. I have tried in another server, firstly, I was direct login to root than run su - to another user, the log message in /var/adm/sulog :
SU 07/01 19:06 + tty?? root-yulianto. so, i think, the script is run by root.

Re: su: tty+

Dennis Handly — Wed, 02 Jul 2008 02:40:40 GMT

>i think, the script is run by root.

Exactly. I assumed you knew this when you said "to johan and apps11i".
I'm surprised it had "tty??".

Re: su: tty+

yulianto piyut — Wed, 02 Jul 2008 02:45:09 GMT

Dennis,

how to check script that run by root as background process? below the cronjob by root and process running by root:
# crontab -l root
# Entry(s) in /opt/hpservices/RemoteSupport are for HP Instant Support Enterprise Edition
0 0 * * 1 /opt/hpservices/RemoteSupport/config/pruneIncidents.sh > /dev/null 2>&1
# Set programmatically by setSysInfoCronEntry.sh: Thu Mar 29 14:05:17 TST 2007
00 23 * * 0 /opt/hpservices/contrib/SysInfo/bin/SysInfoRunMap.sh >> /var/opt/hpservices/contrib/SysInfo/adm/SysInfoRunMap.cronlog 2>&1 &
# sar command
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/lbin/sa/sa1
0 0 1 * * /usr/lbin/sa/sa2 -A

# ps -ef|grep root
root 0 0 13 Aug 16 ? 2177:49 swapper
root 8 0 0 Aug 16 ? 0:00 supsched
root 9 0 0 Aug 16 ? 0:00 strmem
root 10 0 0 Aug 16 ? 0:00 strweld
root 11 0 0 Aug 16 ? 0:00 strfreebd
root 2 0 12 Aug 16 ? 107:54 vhand
root 3 0 1 Aug 16 ? 778:38 statdaemon
root 4 0 0 Aug 16 ? 7:59 unhashdaemon
root 12 0 0 Aug 16 ? 0:00 ttisr
root 13 0 0 Aug 16 ? 0:03 ioconfigd
root 1 0 0 Aug 16 ? 12:11 init
root 19 0 0 Aug 16 ? 24:21 lvmkd
root 20 0 0 Aug 16 ? 24:14 lvmkd
root 21 0 0 Aug 16 ? 24:16 lvmkd
root 22 0 0 Aug 16 ? 24:13 lvmkd
root 23 0 0 Aug 16 ? 24:20 lvmkd
root 24 0 0 Aug 16 ? 24:13 lvmkd
root 25 0 0 Aug 16 ? 0:00 lvmschedd
root 26 0 0 Aug 16 ? 6:09 smpsched
root 27 0 0 Aug 16 ? 6:09 smpsched
root 28 0 0 Aug 16 ? 6:09 smpsched
root 29 0 0 Aug 16 ? 6:09 smpsched
root 30 0 0 Aug 16 ? 6:09 smpsched
root 31 0 0 Aug 16 ? 6:09 smpsched
root 32 0 0 Aug 16 ? 6:09 smpsched
root 33 0 0 Aug 16 ? 6:08 smpsched
root 34 0 0 Aug 16 ? 6:09 smpsched
root 35 0 0 Aug 16 ? 6:08 smpsched
root 36 0 0 Aug 16 ? 6:09 smpsched
root 37 0 0 Aug 16 ? 6:09 smpsched
root 38 0 0 Aug 16 ? 0:00 sblksched
root 39 0 0 Aug 16 ? 0:00 sblksched
root 40 0 0 Aug 16 ? 3:02 lvmdevd
root 41 0 0 Aug 16 ? 0:00 lvmattachd
root 22480 1 0 Jun 24 console 0:00 /usr/sbin/getty console console
root 835 1 0 Aug 16 ? 0:00 /usr/sbin/rpcbind
root 1179 1 0 Aug 16 ? 0:24 /usr/sbin/snmpdm
root 47 0 0 Aug 16 ? 5336:59 vxfsd
root 75 0 0 Aug 16 ? 2:48 lvmdevd
root 76 0 0 Aug 16 ? 0:00 lvmattachd
root 77 0 0 Aug 16 ? 3:18 lvmdevd
root 78 0 0 Aug 16 ? 0:00 lvmattachd
root 79 0 0 Aug 16 ? 3:22 lvmdevd
root 80 0 0 Aug 16 ? 0:00 lvmattachd
root 81 0 0 Aug 16 ? 2:39 lvmdevd
root 82 0 0 Aug 16 ? 0:00 lvmattachd
root 537 1 0 Aug 16 ? 66:18 /usr/sbin/syncer
root 553 0 0 Aug 16 ? 0:03 dmprestored
root 1382 1 0 Aug 16 ? 5:56 /usr/sbin/cron
root 648 1 0 Aug 16 ? 0:00 /usr/sbin/hotplugd /var/adm/hotplugd.log trunc
root 661 1 0 Aug 16 ? 0:00 /usr/lbin/nktl_daemon 0 0 0 0 0 1 -2 0
root 1196 1 0 Aug 16 ? 0:00 /usr/sbin/hp_unixagt
root 671 1 0 Aug 16 ? 0:00 /usr/lbin/ntl_reader 0 1 1 1 1000 2 /var/adm/nettl /var/adm/con
root 672 671 0 Aug 16 ? 43:13 /usr/sbin/netfmt -C -F -f /var/adm/nettl.LOG000 -c /var/adm/con
root 840 0 0 Aug 16 ? 0:00 nfskd
root 884 1 0 Aug 16 ? 0:04 /usr/sbin/inetd
root 666 134 1 11:08:10 pts/7 0:00 ps -ef
root 1207 1 0 Aug 16 ? 18:54 /usr/sbin/mib2agt
root 1218 1 0 Aug 16 ? 0:00 /usr/sbin/trapdestagt
root 1243 1 0 Aug 16 ? 0:00 /usr/sbin/fddi4subagt
root 1266 1 0 Aug 16 ? 2:40 /opt/wbem/lbin/cimserver
root 1260 1 0 Aug 16 ? 5:57 /opt/dce/sbin/rpcd
root 1267 1266 0 Aug 16 ? 0:00 /opt/wbem/lbin/cimservera
root 1268 1266 0 Aug 16 ? 0:19 /opt/wbem/lbin/cimprovagt 11 10 EMSHAProviderModule
root 1354 1 0 Aug 16 ? 97:25 /usr/sbin/pwgrd
root 1402 1 0 Aug 16 ? 0:00 /usr/sbin/envd
root 1326 1 0 Aug 16 ? 0:07 /usr/sbin/rbootd
root 1728 1 0 Aug 16 ? 0:00 /opt/hpservices/contrib/emsListener/bin/rstlistener
root 2022 1 0 Aug 16 ? 0:34 /sbin/krsd -i
root 1892 1 0 Aug 16 ? 0:00 /sbin/sh /usr/dt/bin/dtrc
root 2023 1 0 Aug 16 ? 0:00 /sbin/sfd
root 1399 1 0 Aug 16 ? 26:49 /usr/sbin/stm/uut/bin/sys/diagmond
root 29251 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 1840 1 0 Aug 16 ? 26:52 /opt/VRTSob/bin/vxsvc -r /opt/VRTSob/config/Registry
root 1552 1 0 Aug 16 ? 6:06 /usr/sbin/swagentd -r
root 1907 1 0 Aug 16 ? 28:54 /opt/openssl/prngd/prngd -n -c /opt/openssl/prngd/prngd.conf /v
root 1597 1 0 Aug 16 ? 0:00 /etc/opt/resmon/lbin/emsagent
root 1916 1892 0 Aug 16 ? 0:00 /usr/dt/bin/dtlogin
root 2011 1399 0 Aug 16 ? 2:03 memlogd
root 2010 1399 0 Aug 16 ? 21:09 diaglogd
root 2024 1 0 Aug 16 ? 4:11 /opt/wbem/lbin/cimserverd
root 2028 1 0 Aug 16 ? 9:37 /etc/opt/resmon/lbin/p_client
root 2029 1 0 Aug 16 ? 348:53 /usr/lbin/utild
root 29275 1 0 Aug 21 ? 0:00 /usr/sbin/rpc.lockd
root 29260 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29252 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 26951 26914 0 Dec 5 ? 2015:24 /bea_shinta/connect1/bea/jdk142_05/bin/PA_RISC2.0/java -server
root 9629 9625 0 May 26 ? 0:00 /opt/OV/lbin/conf/ovconfd
root 29286 1 0 Aug 21 ? 9:06 /usr/lib/netsvc/fs/automount/automount -f /etc/auto_master
root 26925 1 0 19:34:37 ? 0:00 /opt/ssh/sbin/sshd
root 29261 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29247 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29256 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29253 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 9679 9625 0 May 26 ? 14:08 /opt/OV/lbin/eaagt/opcmsga
root 9627 9625 0 May 26 ? 3:27 /opt/OV/bin/ovbbccb -nodaemon
root 134 16205 0 11:06:24 pts/7 0:00 -sh
root 29248 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 9675 1 0 Sep 3 ? 0:49 /usr/sbin/syslogd -D
root 29259 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29258 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29269 1 0 Aug 21 ? 0:00 /usr/sbin/rpc.statd
root 29246 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 3846 1 0 Sep 25 ? 513:08 sendmail: accepting connections on port 25
root 29257 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29254 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29250 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 29255 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 9625 1 0 May 26 ? 16:53 /opt/OV/bin/ovcd
root 29249 1 0 Aug 21 ? 0:26 /usr/sbin/biod 16
root 668 134 1 11:08:10 pts/7 0:00 grep root
root 13838 1 0 Jun 24 ? 0:00 sshd: adityaws@pts/0
root 8377 1 0 Apr 21 ? 0:00 /opt/perf/bin/ttd
root 9685 9625 0 May 26 ? 33:22 /opt/OV/lbin/eaagt/opcmona
root 16191 26925 0 10:18:01 ? 0:00 sshd: yulianto@pts/7
root 9681 9625 0 May 26 ? 11:18 /opt/OV/lbin/eaagt/opcacta
root 24609 24607 0 Jan 15 ? 249:51 /opt/APPQcime/jre/bin/PA_RISC/java -Dprogram.name=../tools/star
root 26914 1 0 Dec 5 ? 0:00 /bin/sh ./startWebLogic.sh
root 22182 1 4 Nov 14 ? 82:23 p_ctmat
root 24607 1 0 Jan 15 ? 147:21 ../lib/wrapper ../conf/jswwrapper.conf wrapper.pidfile=../lib//
root 19760 1 0 Jun 30 ? 0:33 mad -u root -g bin
root 9683 9625 0 May 26 ? 0:00 /opt/OV/lbin/eaagt/opcmsgi
root 5118 1 0 May 26 ? 4:41 /opt/OV/lbin/xpl/trc/ovtrcd
root 8395 26925 0 09:50:57 ? 0:01 sshd: johan@pts/1
root 22030 1 0 Nov 14 ? 8:59 p_ctmag
root 9677 9625 0 May 26 ? 14:30 /opt/OV/lbin/perf/coda

Re: su: tty+

Dennis Handly — Wed, 02 Jul 2008 03:21:44 GMT

>how to check script that run by root as background process? below the cronjob by root and process running by root:

Well you can grep the crontab scripts:
/opt/hpservices/RemoteSupport/config/pruneIncidents.sh
/opt/hpservices/contrib/SysInfo/bin/SysInfoRunMap.sh

I wouldn't think these would do it.

root 134 16205 0 11:06:24 pts/7 0:00 -sh

I don't see the parent 16205 here, you should see what it is: ps -fp 16205

root 26925 1 0 19:34:37 ? 0:00 /opt/ssh/sbin/sshd
root 13838 1 0 Jun 24 ? 0:00 sshd: adityaws@pts/0
root 16191 26925 0 10:18:01 ? 0:00 sshd: yulianto@pts/7
root 8395 26925 0 09:50:57 ? 0:01 sshd: johan@pts/1

You might look at these? Does root su to each user that uses ssh?

root 24609 24607 0 Jan 15 ? 249:51 /opt/APPQcime/jre/bin/PA_RISC/java -Dprogram.name=../tools/star
root 26914 1 0 Dec 5 ? 0:00 /bin/sh ./startWebLogic.sh
root 22182 1 4 Nov 14 ? 82:23 p_ctmat
root 22030 1 0 Nov 14 ? 8:59 p_ctmag
root 19760 1 0 Jun 30 ? 0:33 mad -u root -g bin

Not sure what these all do??

Re: su: tty+

yulianto piyut — Wed, 02 Jul 2008 03:49:14 GMT

hi dennis,

no script consists of root su to another user.
# ps -ef|grep sshd
root 16537 15681 0 12:10:24 pts/4 0:00 grep sshd
root 15633 4134 0 12:06:17 ? 0:00 sshd: yulianto@pts/4
root 8395 1 0 09:50:57 ? 0:02 sshd: johan@pts/1
root 4134 1 0 11:20:20 ? 0:00 /opt/ssh/sbin/sshd
# date
Wed Jul 2 12:10:31 TST 2008
# tail /var/adm/sulog
SU 07/02 12:03 + 4 yulianto-root
SU 07/02 12:03 + tty?? root-johan
SU 07/02 12:04 + tty?? root-johan
SU 07/02 12:05 + tty?? root-johan
SU 07/02 12:06 + tty?? root-johan
SU 07/02 12:06 + 4 yulianto-root
SU 07/02 12:07 + tty?? root-johan
SU 07/02 12:08 + tty?? root-johan
SU 07/02 12:09 + tty?? root-johan
SU 07/02 12:10 + tty?? root-johan

now, only me and user johan that login to server.

Re: su: tty+

Dennis Handly — Wed, 02 Jul 2008 05:00:37 GMT

>no script consists of root su to another user.

Could it be rcp/scp or ssh to your machine?
Can you (as yulianto) ssh back to your same machine and see if that is logged?

SU 07/02 12:03 + tty?? root-johan
...
SU 07/02 12:10 + tty?? root-johan

Like clockwork.

>user johan that login to server.

Can you ask him if he doing any scripting for once a minute?

Re: su: tty+

yulianto piyut — Wed, 02 Jul 2008 05:42:36 GMT

thx dennis,

I have asked to user johan and no script that running comman su to user johan. The other su messages is normal, based on sudoers file.

Re: su: tty+

Dennis Handly — Wed, 02 Jul 2008 07:31:21 GMT

If you have given up on trying to play detective, it's time to have su tell you who is doing things.

You need to write a su wrapper to log more things. How good are you at scripting? How secure to you need to make this wrapper? (Where we are going to log more info.)

Re: su: tty+

Dennis Handly — Thu, 03 Jul 2008 02:07:58 GMT

>ME: You need to write a su wrapper to log more things.

Here is a thread that has a wrapper:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1188448

Re: su: tty+

yulianto piyut — Thu, 03 Jul 2008 02:32:52 GMT

thx for your information,

i'm not good in scripting, :D

Re: su: tty+

yulianto piyut — Thu, 03 Jul 2008 04:02:29 GMT

hi dennis,

I have already tried to use the script wrapper based on link yo gave to me. after i replace /usr/bin/su with /usr/bin/su_my, there are no messages root su to johan in /var/adm/sulog and /var/adm/syslog/syslog.log. If it solved my problem?

Re: su: tty+

Dennis Handly — Thu, 03 Jul 2008 09:57:37 GMT

>there are no messages root su to johan in /var/adm/sulog and /var/adm/syslog/syslog.log. If it solved my problem?

I'm not sure why they would stop?
Have you tried using su(1) to see if you get logged? Perhaps that script is bad. Especially the instructions to make it setuid. That shouldn't be necessary, unless you want some type of security on the alternate logfile.

Re: su: tty+

TTr — Thu, 03 Jul 2008 19:46:33 GMT

One last thing to check is if root has a .rhosts (and for ssh, is it .shosts? i don't remember) file that allows other servers to run remote shells on this server. They may be doing this as well.