[ale] Have I been hacked?

Brian Pitts brian at polibyte.com
Thu Jan 8 21:25:09 EST 2009


On Thu, 2009-01-08 at 21:11 -0500, Mark Wright wrote:

> 
> 
> A quick restart fixed the keyboard.  My remaining question is does the entry in /var/log/auth.log indicate trouble?  It shows some authorization action involving my userid at 7:30 this morning while I was on the road to Norcross.  I don't know if this normal.
> 
> 
> See the log below.
> 
> 
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/use_http_proxy 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark 
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark 
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) 
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark 

This is normal. It's caused by the script /etc/cron.daily/apt

# set the proxy based on the admin users gconf settings
admin_user=$(getent group admin|cut -d: -f4|cut -d, -f1)
if [ -n "$admin_user" ] && [ -x /usr/bin/sudo ] && [ -z "$http_proxy" ]
&& [ -x /usr/bin/gconftool ]; then
        use=$(sudo -u "$admin_user" gconftool
--get /system/http_proxy/use_http_proxy)
        host=$(sudo -u "$admin_user" gconftool
--get /system/http_proxy/host)
        port=$(sudo -u "$admin_user" gconftool
--get /system/http_proxy/port)
        if [ "$use" = "true" ] && [ -n "$host" ] && [ -n "$port" ]; then
                export http_proxy="http://$host:$port/"
        fi
fi

-Brian



More information about the Ale mailing list