within the apache error.log I have the mssg: "su: must be run from a terminal" Usually, there are error IDs, the monitored IP and source of the error (php-page) - all this is missing here.
If I check the apache access.log during the given time-window (the error-mssg before and that one after the entry "su: must be run from a terminal"), there is a hacking-approach: PROPFIND /webdav/ HTTP/1.1" 403 0 "-" "WEBDAV Client" (the IP is already listed in the abuse IP database.list: https://www.abuseipdb.com/check/192.99.144.140)
Now I wonder, if the "su: must be run from a terminal" is normal behaviour if the PROPFIND was rejected properly - or, if this a clear sign that there is a critical vulnerability. (I have never added/ activated/ used the webdav module for this server.)
I'd be happy if someone could explain/give further information, where/how this plain mssg "su: must be run from a terminal" is coming from/was generated by.
