https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748262#M753433 I never see that before in syslog, obviously it is not wrote by system, the first thing I can do, if I were you, is change password right away, and try to find the root cause if you can.<BR /> Wed, 19 Jun 2002 18:49:38 GMT Victor_5 2002-06-19T18:49:38Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748258#M753429 I got the following message in my syslog early yesterday .....<BR />Jun 18 00:52:46 hostname root: Hey, look I'm logged on as root at the console. Not good...<BR />Jun 18 00:52:47 hostname root: <BR />Jun 18 00:52:53 hostname root: d<BR /><BR />Does anyone have any ideas on what this might be? Wed, 19 Jun 2002 18:38:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748258#M753429 Scott E Smith 2002-06-19T18:38:01Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748259#M753430 Hello,<BR /><BR />It looks like someone logged in as root and used the 'logger' command to leave you a message in syslog. Not good. If you don't know who did it you'd better start checking to see if your system has been compromised.<BR /><BR />You can write messages to syslog.log via the logger command, and it records your hostname and your user id. I hope everything is ok for you.<BR /><BR />JP<BR /> Wed, 19 Jun 2002 18:45:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748259#M753430 John Poff 2002-06-19T18:45:05Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748260#M753431 Hi,<BR /><BR />This certainly means that somebody has logged in into your system with root login. Have you given the root access to anybody.<BR /><BR />Then he has used the logger command to pass this message to your syslog.log file<BR /><BR />Piyush Wed, 19 Jun 2002 18:46:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748260#M753431 PIYUSH D. PATEL 2002-06-19T18:46:21Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748261#M753432 Hi Scott,<BR /><BR /> I'd suspect that someone left the console logged in as root &amp; someone came along &amp; ran the logger command which allows root to make syslog entries. The "d" was *probably* a failed ctrl-d that got logged.....<BR /><BR /> The other scenario is that someone has the root PW &amp; su'd up &amp; made those entries - again using logger.<BR /><BR />Note these didn't necessarily have to be done from the console....syslog doesn't log tty info.<BR /><BR />In either case, you need to lock this box down some more. Looks like that was the *purpose* of this exercise.<BR /><BR />Rgds,<BR />Jeff Wed, 19 Jun 2002 18:49:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748261#M753432 Jeff Schussele 2002-06-19T18:49:20Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748262#M753433 I never see that before in syslog, obviously it is not wrote by system, the first thing I can do, if I were you, is change password right away, and try to find the root cause if you can.<BR /> Wed, 19 Jun 2002 18:49:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748262#M753433 Victor_5 2002-06-19T18:49:38Z https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748263#M753434 A suggestion or two.<BR /><BR />last -R root | more ==&gt; to see where root was logged in from during this time period.<BR /><BR />view /var/adm/sulog ==&gt; to see who might have su'd to root.<BR /><BR />Of course, if you find that the id HACKER su'd to root you could try last -R HACKER | more<BR /><BR />Good luck!<BR /><BR />Thom Wed, 19 Jun 2002 19:25:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/strange-log-entry/m-p/2748263#M753434 Thomas D. Harrison 2002-06-19T19:25:18Z