Successful su for proxy by root
Steven Susbauer
steven at too1337.com
Sun Feb 20 01:07:11 UTC 2011
On 2/19/11 12:38 PM, scar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> i have been monitoring my /var/log/auth.log lately and i noticed these
> few entries are showing up about once per day. can anyone shed light on
> what is causing it? who is user proxy? thanks
>
> Feb 14 07:54:51 ubuntu-desktop su[24751]: Successful su for proxy by root
> Feb 14 07:54:51 ubuntu-desktop su[24751]: + ??? root:proxy
> Feb 14 07:54:51 ubuntu-desktop su[24751]: pam_unix(su:session): session
> opened for user proxy by (uid=0)
> Feb 14 07:54:52 ubuntu-desktop su[24751]: pam_unix(su:session): session
> closed for user proxy
>
proxy user is probably associated with some kind of proxy software,
running anything you can think of?
It sounds like it's running through cron, check through /etc/cron.daily/
and you'll likely find the script that is responsible for the entries.
If not there then in root's crontab.
Note that the log is nothing to be afraid of. It is the root user
becoming the proxy user and not the other way around. If something bad
is already operating as root, it is likely to do something as root.
More information about the ubuntu-users
mailing list