Auth log error : Is it a Hack?

Question

I was just going through auth.log file, I found the following error. Can anybody tell is it a hack or just log of Bugzilla which I installed & throughing an error.

Mar 12 06:50:10 bigbugz02 su[13762]: Successful su for www-data by root
Mar 12 06:50:10 bigbugz02 su[13762]: + ??? root:www-data
Mar 12 06:50:10 bigbugz02 su[13762]: pam_unix(su:session): session opened for user www-data by (uid=0)
Mar 12 06:50:12 bigbugz02 su[13762]: pam_unix(su:session): session closed for user www-data

score 1 · Accepted Answer · answered Mar 12 '12 at 08:49

1

This is a frequently asked question in Secure Debian guide. Here is some more info on the topic:

See point 11.2.3 here

Generally it could be a cron job. So - it is safe.

answered Mar 12 '12 at 08:49

TheMouse

28
1
4

1

Yeah...the logs can be frightening :) – TheMouse Mar 12 '12 at 12:14

score 0 · Answer 2 · answered Mar 12 '12 at 04:28

0

This is generally a safe thing. When the application is started by root user it does this to start it as www-data user.

answered Mar 12 '12 at 04:28

proy

1,229
10
10

score 0 · Answer 3 · answered Nov 01 '17 at 06:33

It means a cron job has executed. Depends on if you have set up cron jobs, this could mean a hack.

I found that I'm hacked:

# crontab -l -u www-data
*/10 * * * * /var/tmp/iFuEAeuC >/dev/null 2>&1

I uploaded the file to virustotal, and it says it's some type of virus...

Auth log error : Is it a Hack?

3 Answers3