I've got several hosts running CentOS 5.11 on the LAN. Lately we've been getting fairly regular sudo alerts (via email) from attempted sudo commands by non-authorized users. Been Googling in case the attempted commands are known hacks, or known "tools" that can trigger these.
Pattern is pretty regular, usually about twice per hour alerted from a number of hosts--very unlikely a human, thus.
The alerts themselves are always one of these two:
myhost01 : Oct 29 17:50:41 : tzx : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/tzx ; USER=root ; COMMAND=lsof -nP +c0 -i4TCP
or
myhost02 : Oct 29 18:16:39 : tzx : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/tzx ; USER=root ; COMMAND=parted -l
where user "tzx" is a valid Linux user--typically used to run system services or cron jobs, but also permitted for SSH login (so as to prevent doing either function as root). I've used "last" on one or two of the affected hosts and I see shell sessions from user tzx, less than one minute each, roughly corresponding to the alerts we get. And, all those sessions appear to come from the same source host on the LAN (which I'm also digging at).
Has anybody seen this kind of traffic? Any known tools, hacks/probes or other "things" that tend to try this?
Half of me thinks I've got some user with some noisy (and nosey) tool of some kind and the other half thinks this is a more serious problem.