I was browsing my logs on papertail and I saw this.
Jun 03 03:26:01 /USR/SBIN/CRON: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Jun 03 03:26:04 su: Successful su for www-data by root
Jun 03 03:26:04 su: + ??? root:www-data
Jun 03 03:26:04 su: pam_unix(su:session): session opened for user www-data by (uid=0)
Jun 03 03:26:04 su: pam_unix(su:session): session closed for user www-data
Jun 03 03:26:04 su: Successful su for www-data by root
Jun 03 03:26:04 su: + ??? root:www-data
Jun 03 03:26:04 su: pam_unix(su:session): session opened for user www-data by (uid=0)
Jun 03 03:26:04 su: pam_unix(su:session): session closed for user www-data
Jun 03 03:26:04 syslog-ng: Configuration reload request received, reloading configuration;
Jun 03 03:26:04 syslog-ng: EOF on control channel, closing connection;
Jun 03 03:26:05 syslog-ng: Configuration reload request received, reloading configuration;
Jun 03 03:26:05 syslog-ng: EOF on control channel, closing connection;
Jun 03 03:26:05 CRON: pam_unix(cron:session): session closed for user root
Jun 03 03:39:01 CRON: pam_unix(cron:session): session opened for user root by (uid=0)
Isn't it possible breakin attempt? Why is root logged as www-data and syslog-ng reload configuration?
Edit.
Files in /etc/cron.daily
apt aptitude bsdmainutils dpkg lighttpd logrotate man-db passwd
In lighttpd is
#!/bin/sh
# Cleanup lighttpd compress cache
cache=/var/cache/lighttpd
if test -d "$cache/compress"; then
su -s /bin/sh -c "find $cache/compress -type f -atime +30 -print0 | xargs -0 -r rm" www-data
fi
if test -d "$cache/uploads"; then
su -s /bin/sh -c "find $cache/uploads -type f -atime +1 -print0 | xargs -0 -r rm" www-data
fi
