[ale] Have I been hacked?

Mark Wright mark_wright at bellsouth.net
Thu Jan 8 21:36:46 EST 2009


On Jan 8, 2009, at 9:25 PM, Brian Pitts wrote:

> On Thu, 2009-01-08 at 21:11 -0500, Mark Wright wrote:
>
>>
>>
>> A quick restart fixed the keyboard.  My remaining question is does  
>> the entry in /var/log/auth.log indicate trouble?  It shows some  
>> authorization action involving my userid at 7:30 this morning  
>> while I was on the road to Norcross.  I don't know if this normal.
>>
>>
>> See the log below.
>>
>>
>> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ;  
>> PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/ 
>> http_proxy/use_http_proxy
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session opened for user mark by (uid=0)
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session closed for user mark
>> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ;  
>> PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/ 
>> http_proxy/host
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session opened for user mark by (uid=0)
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session closed for user mark
>> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ;  
>> PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/ 
>> http_proxy/port
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session opened for user mark by (uid=0)
>> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session):  
>> session closed for user mark
>
> This is normal. It's caused by the script /etc/cron.daily/apt
>


Thanks,  I didn't look nefarious but all the other weirdness had me  
worried.





More information about the Ale mailing list