HPE Community
Operating System - HP-UX
1826440 Members
4074 Online
109692 Solutions
New Discussion

Strange log entry

 
SOLVED
Go to solution
Scott E Smith
Frequent Advisor

‎06-19-2002 11:38 AM

‎06-19-2002 11:38 AM

Strange log entry

I got the following message in my syslog early yesterday .....
Jun 18 00:52:46 hostname root: Hey, look I'm logged on as root at the console. Not good...
Jun 18 00:52:47 hostname root:
Jun 18 00:52:53 hostname root: d

Does anyone have any ideas on what this might be?
0 Kudos
Reply
5 REPLIES 5
John Poff
Honored Contributor

‎06-19-2002 11:45 AM

‎06-19-2002 11:45 AM

Solution

Re: Strange log entry

Hello,

It looks like someone logged in as root and used the 'logger' command to leave you a message in syslog. Not good. If you don't know who did it you'd better start checking to see if your system has been compromised.

You can write messages to syslog.log via the logger command, and it records your hostname and your user id. I hope everything is ok for you.

JP
Reply
PIYUSH D. PATEL
Honored Contributor

‎06-19-2002 11:46 AM

‎06-19-2002 11:46 AM

Re: Strange log entry

Hi,

This certainly means that somebody has logged in into your system with root login. Have you given the root access to anybody.

Then he has used the logger command to pass this message to your syslog.log file

Piyush
Reply
Jeff Schussele
Honored Contributor

‎06-19-2002 11:49 AM

‎06-19-2002 11:49 AM

Re: Strange log entry

Hi Scott,

I'd suspect that someone left the console logged in as root & someone came along & ran the logger command which allows root to make syslog entries. The "d" was *probably* a failed ctrl-d that got logged.....

The other scenario is that someone has the root PW & su'd up & made those entries - again using logger.

Note these didn't necessarily have to be done from the console....syslog doesn't log tty info.

In either case, you need to lock this box down some more. Looks like that was the *purpose* of this exercise.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Victor_5
Trusted Contributor

‎06-19-2002 11:49 AM

‎06-19-2002 11:49 AM

Re: Strange log entry

I never see that before in syslog, obviously it is not wrote by system, the first thing I can do, if I were you, is change password right away, and try to find the root cause if you can.
0 Kudos
Reply
Thomas D. Harrison
Frequent Advisor

‎06-19-2002 12:25 PM

‎06-19-2002 12:25 PM

Re: Strange log entry

A suggestion or two.

last -R root | more ==> to see where root was logged in from during this time period.

view /var/adm/sulog ==> to see who might have su'd to root.

Of course, if you find that the id HACKER su'd to root you could try last -R HACKER | more

Good luck!

Thom
Imbibo ergo sum.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.