Find the answer to your Linux question:
Results 1 to 4 of 4
1) I found in auth.log, What is that mean, I didn't do su at that time, 2) Why there has a lot of session opened & closed? Sep 2 06:09:01 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2005
    Posts
    40

    my machine is on risk?


    1) I found in auth.log, What is that mean, I didn't do su at that time,
    2) Why there has a lot of session opened & closed?

    Sep 2 06:09:01 dns CRON[6366]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 06:09:01 dns CRON[6366]: (pam_unix) session closed for user root
    Sep 2 06:17:01 dns CRON[6375]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 06:17:01 dns CRON[6375]: (pam_unix) session closed for user root
    Sep 2 06:25:01 dns CRON[6387]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 06:25:01 dns su[6408]: + ??? root:nobody <<======== 1)
    Sep 2 06:25:01 dns su[6408]: (pam_unix) session opened for user nobody by (uid=0)
    Sep 2 06:25:58 dns CRON[6387]: (pam_unix) session closed for user root<=== 2)
    Sep 2 06:39:01 dns CRON[7647]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 06:39:01 dns CRON[7647]: (pam_unix) session closed for user root
    Sep 2 07:09:01 dns CRON[7662]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 07:09:01 dns CRON[7662]: (pam_unix) session closed for user root
    Sep 2 07:17:01 dns CRON[7670]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 07:17:01 dns CRON[7670]: (pam_unix) session closed for user root
    Sep 2 07:39:01 dns CRON[7682]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 07:39:01 dns CRON[7682]: (pam_unix) session closed for user root
    Sep 2 08:09:01 dns CRON[7693]: (pam_unix) session opened for user root by (uid=0)
    Sep 2 08:09:01 dns CRON[7693]: (pam_unix) session closed for user root
    Sep 2 08:14:51 dns gdm[1691]: (pam_unix) session opened for user paul by (uid=0)

  2. #2
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Buenos Aires, Argentina
    Posts
    908
    Don't worry about it, that's all done by CRON and its cronjobs, they all run as root by default.
    serzsite.com.ar
    "All the drugs in this world won\'t save you from yourself"

  3. #3
    Just Joined!
    Join Date
    Mar 2005
    Location
    Ghana
    Posts
    35
    that's right cron opened all those sessions. anyway the su was opened by user nobody - no cause for alarm.

    when u check ur logs look out for those with ip addr n user name interchage for other user names t with SU. then u will know u r at risk.

    in the mean time use security auditing tools and IPS/IDS packages like SNORT, TRIPWIRE etc.

    try www.yolinux.com for beginner guide

  4. #4
    Just Joined!
    Join Date
    Jan 2010
    Posts
    1
    Thanks for taking the time to help, I really apprciate it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •