LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
Reload this Page (pam_unix) session opened for user root by (uid=0)
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 12-31-2007, 12:45 PM   #1
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561

Rep: Reputation: 57
(pam_unix) session opened for user root by (uid=0)

Hello guys,

I have Debian Stable (Etch). I indeed love its stability.

I have the following auth.log message:
http://nopaste.debianforum.de/7093

and this /etc/crontab
Code:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily
47 6    * * 7   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.weekly
52 6    1 * *   root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.monthly
#
# no crontab -l for root


I noted that the apache2 went ON 2days ago, switched on, on ps -aux with www-data.
Is that normal ? what should I try to check ?

I have fail2ban installed but no idea how it works.
 
Old 01-01-2008, 07:18 AM   #2
digen
Member
 
Registered: Dec 2005
Location: India
Distribution: Ubuntu Feisty Fawn
Posts: 107

Rep: Reputation: 15
It appears there is a cron configured which runs a script every 12 minutes.

Quote:
#
Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session opened for user root by (uid=0)
#
Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session closed for user root
#
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session opened for user root by (uid=0)
#
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session closed for user root
I found the below information in the Debian Security manual,


Quote:
11.2.3 I found users doing 'su' in my logs: Am I compromised?

You might find lines in your logs like:

Apr 1 09:25:01 server su[30315]: + ??? root-nobody
Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (uid=0)

Don't worry too much, check out if this is due to a job running through the cron (usually /etc/cron.daily/find or logrotate):

$ grep 25 /etc/crontab
25 6 * * * root test -e /usr/sbin/anacron || run-parts --report
/etc/cron.daily
$ grep nobody /etc/cron.daily/*
find:cd / && updatedb --localuser=nobody 2>/dev/null
http://www.linuxsecurity.com/docs/ha...o/ch11.en.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Only root user can start a gui session landev Linux - Enterprise 6 02-12-2007 10:45 AM
konqueror as root while in user session? bigwheel Slackware 2 05-13-2006 04:24 PM
session opened for user nobody r.stiltskin Debian 4 03-13-2006 01:17 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Session opened automaticaly: mandrake 9.2 (cooker) cyberk Mandriva 3 10-30-2003 11:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 11:14 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration