entries in auth.log are +??? I am not sure what it means

Question

I have following entries in /var/log/auth.log

Jan 24 06:37:54 server1 su[9508]: Successful su for nobody by root
Jan 24 06:37:54 server1 su[9508]: + ??? root:nobody

does it point to some problem I am not sure.So let me know if it is some thing I need to worry about.

score 1 · Accepted Answer · answered Jan 24 '11 at 11:24

1

This must be a cron job, because:

User root dropped privileges and became "nobody" to run a cronjob. Check with crontab -l while being root. If there's no cronjob, you might want to worry.
Log entries (although they might be faked of course) around 06:25 AM tend to be cronjobs, updatedb commands etc.

answered Jan 24 '11 at 11:24

weeheavy

Ok crontab -l gives only `8 9 * * * /etc/webmin/cron/tempdelete.pl #Delete Webmin temporary files` – Bond Jan 25 '11 at 03:47
1

Look in /etc/cron.d, /etc/cron.daily etc. too. Forgot to mention this. – weeheavy Jan 25 '11 at 08:04

1 Answers1