On 26 August 2010 08:13, Ted Harding Ted.Harding@manchester.ac.uk wrote:
Good morning! I just (and I hardly ever do this ... ) had a look at /var/log/auth.log on a Debian Etch running in a VirtualBox VM.
Almost all the entries are simply references to CRON, e.g.
Aug 26 03:17:01 localhost CRON[26804]: (pam_unix) session opened for user root by (uid=0) Aug 26 03:17:01 localhost CRON[26804]: (pam_unix) session closed for user root
Yes, my auth.log on Ubuntu 10.04 is full of that too, and has been for years. At least you know cron is doing something!
However, there is a short sequence of root su-ing to "nobody":
Aug 26 07:35:05 localhost su[30229]: Successful su for nobody by root Aug 26 07:35:05 localhost su[30229]: + ??? root:nobody Aug 26 07:35:05 localhost su[30229]: (pam_unix) session opened for user nobody by (uid=0) Aug 26 07:35:05 localhost su[30229]: (pam_unix) session closed for user nobody
Anyone know what "nobody" has to do with anything?
Could it be an http daemon? I don't suppose you can catch it in action.
Tim.