mystery su showing up in message log

[stfaprc]

running RH9

Jul 13 00:05:01 net su(pam_unix)[978]: session opened for user news by (uid=0)
Jul 13 00:05:01 net su(pam_unix)[978]: session closed for user news
Jul 14 00:07:09 net su(pam_unix)[15270]: session opened for user news by (uid=0)
Jul 14 00:07:09 net su(pam_unix)[15270]: session closed for user news
Jul 15 00:07:56 net su(pam_unix)[2352]: session opened for user news by (uid=0)
Jul 15 00:07:56 net su(pam_unix)[2352]: session closed for user news

here is the thing: the user news has been disabled and the shell has been set to /bin/false.
What is going on?

 

[elgrandeperro]

root su-ing in a cron job?

 

[stfaprc]

don't see how it can be via a cron job when I am logged in as root and try from the command line

[740 /root]# su news
[741 /root]# whoami
root

the attempt to change to news does not work.

 

[Annihilannic]

And when you do that, does it create a log entry as well?

Annihilannic.

 

[thedaver]

So went ahead on my system and used 'usermod -L news' to lock that account and mod'd the shell to /bin/false.

My 'su news' returns to the same prompt without an error. So the example above is repeatable (on a non-hacked box).

So I would concur that you have some cron script that is trying to do something as user 'news' and it's obviously failing immediately (log shows each entry starts and ends at the same time in seconds)

I suppose you could still be hacked if that's your concern, but more likely is that something's still scheduled for that user account. Find it, kill it, and see if the log entry goes away.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[stfaprc]

thing I found it,

/etc/cron.daily]# grep news *
slrnpull-expire: exec su news -c 'slrnpull --expire'

thanks !