[Eisfair] Re3a Hilfe bei Entfernung von Malware benc3b6tigt2e (kdevtmpfsi)
Marcus Röckrath
marcus.roeckrath at gmx.de
Fr Okt 29 14:38:23 CEST 2021
Hallo Fabian,
Fabian Törner wrote:
>> hat wer bei euch in dem Zusammenhang evtl. auch folgende Einträge in den
>> Log Dateien - bei mir in messages.log:
>
> Oct 23 10:17:53 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:17:54 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:17:55 eis su: (to wwwrun) root on pts/0
> Oct 23 10:17:55 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:17:56 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:18:04 eis su: (to wwwrun) root on pts/0
> Oct 23 10:18:04 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:18:05 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:36:29 eis su: (to wwwrun) root on pts/0
> Oct 23 10:36:29 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:36:29 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:36:29 eis su: (to wwwrun) root on pts/0
> Oct 23 10:36:29 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:36:29 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:36:29 eis su: (to wwwrun) root on pts/0
> Oct 23 10:36:29 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:36:29 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:36:29 eis su: (to wwwrun) root on pts/0
> Oct 23 10:36:29 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:36:29 eis su: pam_unix(su:session): session closed for user
> wwwrun Oct 23 10:36:29 eis su: (to wwwrun) root on pts/0
> Oct 23 10:36:30 eis su: pam_unix(su:session): session opened for user
> wwwrun(uid=30) by root(uid=0)
> Oct 23 10:36:30 eis su: pam_unix(su:session): session closed for user
> wwwrun
Diese und auch die im vorigen Post genannten mit atd:session sind erstmal
nicht verdächtig, da sie auch durch lokale Prozesse wie atd, logrotate,
cronjobs, exim, ... auftreten.
--
Gruß Marcus
[eisfair-Team]
Mehr Informationen über die Mailingliste Eisfair