my machine is on risk?

[sf433]

1) I found in auth.log, What is that mean, I didn't do su at that time,
2) Why there has a lot of session opened & closed?

Sep 2 06:09:01 dns CRON[6366]: (pam_unix) session opened for user root by (uid=0)
Sep 2 06:09:01 dns CRON[6366]: (pam_unix) session closed for user root
Sep 2 06:17:01 dns CRON[6375]: (pam_unix) session opened for user root by (uid=0)
Sep 2 06:17:01 dns CRON[6375]: (pam_unix) session closed for user root
Sep 2 06:25:01 dns CRON[6387]: (pam_unix) session opened for user root by (uid=0)
Sep 2 06:25:01 dns su[6408]: + ??? root:nobody <<======== 1)
Sep 2 06:25:01 dns su[6408]: (pam_unix) session opened for user nobody by (uid=0)
Sep 2 06:25:58 dns CRON[6387]: (pam_unix) session closed for user root<=== 2)
Sep 2 06:39:01 dns CRON[7647]: (pam_unix) session opened for user root by (uid=0)
Sep 2 06:39:01 dns CRON[7647]: (pam_unix) session closed for user root
Sep 2 07:09:01 dns CRON[7662]: (pam_unix) session opened for user root by (uid=0)
Sep 2 07:09:01 dns CRON[7662]: (pam_unix) session closed for user root
Sep 2 07:17:01 dns CRON[7670]: (pam_unix) session opened for user root by (uid=0)
Sep 2 07:17:01 dns CRON[7670]: (pam_unix) session closed for user root
Sep 2 07:39:01 dns CRON[7682]: (pam_unix) session opened for user root by (uid=0)
Sep 2 07:39:01 dns CRON[7682]: (pam_unix) session closed for user root
Sep 2 08:09:01 dns CRON[7693]: (pam_unix) session opened for user root by (uid=0)
Sep 2 08:09:01 dns CRON[7693]: (pam_unix) session closed for user root
Sep 2 08:14:51 dns gdm[1691]: (pam_unix) session opened for user paul by (uid=0)

[serz]

Don't worry about it, that's all done by CRON and its cronjobs, they all run as root by default.

[dessie]

that's right cron opened all those sessions. anyway the su was opened by user nobody - no cause for alarm.

when u check ur logs look out for those with ip addr n user name interchage for other user names t with SU. then u will know u r at risk.

in the mean time use security auditing tools and IPS/IDS packages like SNORT, TRIPWIRE etc.

try www.yolinux.com for beginner guide

[Adain]

Thanks for taking the time to help, I really apprciate it.