Hi all,

I just setup Denyhosts on my linux box and I noticed a quite few weird lines in my auth.log:

Code:
Jun  7 14:14:34 server groupadd[10088]: new group: name=messagebus, GID=109
Jun  7 14:14:34 server useradd[10091]: new user: name=messagebus, UID=100, GID=109, home=/var/run/dbus, shell=/bin/false
Jun  7 14:14:34 server chage[10092]: changed password expiry for messagebus
Jun  7 14:14:46 server groupadd[10304]: new group: name=haldaemon, GID=110
Jun  7 14:14:46 server useradd[10305]: new user: name=haldaemon, UID=110, GID=110, home=/var/run/hal, shell=/bin/false
Jun  7 14:14:46 server chage[10306]: changed password expiry for haldaemon
Jun  7 14:14:47 server chfn[10307]: changed user `haldaemon' information
Jun  7 14:14:47 server gpasswd[10309]: set members of floppy to greg,haldaemon
Jun  7 14:14:47 server gpasswd[10311]: set members of cdrom to greg,haldaemon
Jun  7 14:14:48 server gpasswd[10314]: set members of plugdev to greg,haldaemon
Jun  7 14:17:01 server CRON[12606]: (pam_unix) session opened for user root by (uid=0)
Jun  7 14:17:01 server CRON[12606]: (pam_unix) session closed for user root
Jun  7 14:20:17 server groupadd[13326]: new group: name=gdm, GID=111
Jun  7 14:20:17 server useradd[13329]: new user: name=gdm, UID=104, GID=111, home=/var/lib/gdm, shell=/bin/false
Jun  7 14:20:17 server chage[13330]: changed password expiry for gdm
Jun  7 14:20:17 server usermod[13333]: change user `gdm' GID from `111' to `111'
Jun  7 14:20:17 server usermod[13334]: change user `gdm' shell from `/bin/false' to `/bin/false'
... [this happens 5 or 6 times at varying times, but nothing seems to come of it]
Jun 20 06:25:03 server su[6020]: + ??? root:nobody
Jun 20 06:25:03 server su[6020]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:03 server su[6020]: (pam_unix) session closed for user nobody
Jun 20 06:25:03 server su[6024]: + ??? root:nobody
Jun 20 06:25:03 server su[6024]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:03 server su[6024]: (pam_unix) session closed for user nobody
Jun 20 06:25:03 server su[6026]: + ??? root:nobody
Jun 20 06:25:03 server su[6026]: (pam_unix) session opened for user nobody by (uid=0)
Jun 20 06:25:43 server su[6026]: (pam_unix) session closed for user nobody
... [the next section repeats a whole bunch of times with varying usernames]
Jun 29 06:42:16 server sshd[7682]: Did not receive identification string from 202.106.213.29
Jun 29 06:45:20 server sshd[7683]: Invalid user lpd from 202.106.213.29
Jun 29 06:45:20 server sshd[7683]: reverse mapping checking getaddrinfo for bt-213-029.bta.net.cn failed - POSSIBLE BREAKIN ATTEMPT!
Jun 29 06:45:20 server sshd[7683]: (pam_unix) check pass; user unknown
Jun 29 06:45:20 server sshd[7683]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.106.213.29 
Jun 29 06:45:23 server sshd[7683]: Failed password for invalid user lpd from 202.106.213.29 port 44073 ssh2
First off, I've disabled the port forwarding that was letting SSH at the box, so it should be safe enough. Then again, since I forgot to install a protection system like Tripwire, and wasn't checking my logs I wouldn't take my word for it

I believe the first set of entries happened because I installed gdm, which created the users and changed their parameters during its install, but I just want to make sure.

The next set is what set me off - AFAIK nobody should be able to login to the nobody account. And yet in /etc/passwd the nobody account had /bin/sh as it's shell, and a shadow password... I'm still learning which users are important and which aren't, but in the meantime I've disabled that account. Has someone broken into this account?

Last but not least, the third section I see a lot. I know everyone see this, but is there anything I can do about it? Some of the servers appear to be legit webservers.