Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Debian This forum is for the discussion of Debian Linux.


  Search this Thread
Old 12-31-2007, 12:45 PM   #1
Senior Member
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 57
(pam_unix) session opened for user root by (uid=0)

Hello guys,

I have Debian Stable (Etch). I indeed love its stability.

I have the following auth.log message:

and this /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.


# m h dom mon dow user  command
17 *    * * *   root    run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily
47 6    * * 7   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.weekly
52 6    1 * *   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.monthly
# no crontab -l for root

I noted that the apache2 went ON 2days ago, switched on, on ps -aux with www-data.
Is that normal ? what should I try to check ?

I have fail2ban installed but no idea how it works.
Old 01-01-2008, 07:18 AM   #2
Registered: Dec 2005
Location: India
Distribution: Ubuntu Feisty Fawn
Posts: 107

Rep: Reputation: 15
It appears there is a cron configured which runs a script every 12 minutes.

Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session opened for user root by (uid=0)
Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session closed for user root
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session opened for user root by (uid=0)
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session closed for user root
I found the below information in the Debian Security manual,

11.2.3 I found users doing 'su' in my logs: Am I compromised?

You might find lines in your logs like:

Apr 1 09:25:01 server su[30315]: + ??? root-nobody
Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (uid=0)

Don't worry too much, check out if this is due to a job running through the cron (usually /etc/cron.daily/find or logrotate):

$ grep 25 /etc/crontab
25 6 * * * root test -e /usr/sbin/anacron || run-parts --report
$ grep nobody /etc/cron.daily/*
find:cd / && updatedb --localuser=nobody 2>/dev/null


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Only root user can start a gui session landev Linux - Enterprise 6 02-12-2007 10:45 AM
konqueror as root while in user session? bigwheel Slackware 2 05-13-2006 04:24 PM
session opened for user nobody r.stiltskin Debian 4 03-13-2006 01:17 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Session opened automaticaly: mandrake 9.2 (cooker) cyberk Mandriva 3 10-30-2003 11:38 PM

All times are GMT -5. The time now is 12:37 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration