LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-23-2005, 03:33 PM   #1
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Rep: Reputation: 15
Security threat or automated system - pam_unix??


I'm slowly getting there with linix altough when I came to set up my home server running FC3 I've had a bit of a security scare.

I installed everything as normal and left the box on for a couple of days to see how it behaved. I opened up the SSH on the firewall and forwarded the port from my router. When I checked the security logs I found that someone had been trying to crack my system trying loads of different usernames and passwords. In a state of paranoia I reset the box to find that one of the hard drives had failed so linux wouldn't boot.

At this point I thought a simple re-install would do the trick so removed the dead drive and started again. Today I come home to find the following in my System Log:

Feb 23 08:01:01 localhost crond(pam_unix)[6498]: session opened for user root by (uid=0)
Feb 23 08:01:01 localhost crond(pam_unix)[6498]: session closed for user root
Feb 23 09:01:01 localhost crond(pam_unix)[6502]: session opened for user root by (uid=0)
Feb 23 09:01:01 localhost crond(pam_unix)[6502]: session closed for user root
Feb 23 10:01:01 localhost crond(pam_unix)[6506]: session opened for user root by (uid=0)
Feb 23 10:01:01 localhost crond(pam_unix)[6506]: session closed for user root
Feb 23 11:01:01 localhost crond(pam_unix)[6512]: session opened for user root by (uid=0)
Feb 23 11:01:01 localhost crond(pam_unix)[6512]: session closed for user root
Feb 23 12:01:01 localhost crond(pam_unix)[6516]: session opened for user root by (uid=0)
Feb 23 12:01:01 localhost crond(pam_unix)[6516]: session closed for user root
Feb 23 13:01:01 localhost crond(pam_unix)[6520]: session opened for user root by (uid=0)
Feb 23 13:01:01 localhost crond(pam_unix)[6520]: session closed for user root
Feb 23 14:01:01 localhost crond(pam_unix)[6524]: session opened for user root by (uid=0)
Feb 23 14:01:01 localhost crond(pam_unix)[6524]: session closed for user root
Feb 23 15:01:01 localhost crond(pam_unix)[6528]: session opened for user root by (uid=0)
Feb 23 15:01:01 localhost crond(pam_unix)[6528]: session closed for user root
Feb 23 16:01:01 localhost crond(pam_unix)[6532]: session opened for user root by (uid=0)
Feb 23 16:01:01 localhost crond(pam_unix)[6532]: session closed for user root
Feb 23 17:01:01 localhost crond(pam_unix)[6536]: session opened for user root by (uid=0)
Feb 23 17:01:01 localhost crond(pam_unix)[6536]: session closed for user root

I haven't SSH'd into the box so am curious if this is someone who has gained my root password or is simply a system process running....

Please put this paranoid noob's mind at rest!
 
Old 02-23-2005, 04:22 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
My FC3 box here at work shows similar log entries. My guess is that cron generates such logs, or something similar. I don't think it's a problem.
 
Old 02-23-2005, 05:23 PM   #3
OmnipotentOscar
Member
 
Registered: Jan 2005
Distribution: Fedora 5, Debian
Posts: 56

Original Poster
Rep: Reputation: 15
Thank you... I figured that these wouldn't be a problem... you should have seen the last log! If my hdd hadn't crashed I would have pasted the log here!
 
Old 02-23-2005, 06:23 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
The log entry for someone logging in through ssh would look like:
May 18 02:12:44 vortex sshd[1833]: Accepted password for root from xxx.xxx.xxx.xxx port 1881 ssh2

Although this user changed the port number for ssh. I this case the user was hacked. The ip address was for an internet cafe in Romania.

The log you posted is for an hourly cron job.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with pam_unix error message?!? js_valencia Linux - Newbie 3 11-23-2005 02:02 PM
Automated Webmail System nemesisza Linux - Software 1 05-18-2005 09:57 AM
pam_unix in logfile jkmartha Linux - Newbie 1 05-04-2005 10:40 PM
Limewire a security threat? JCdude2525 Linux - Security 2 02-06-2005 10:25 AM
Is this a security threat? ifm Linux - Security 3 06-14-2002 11:58 AM


All times are GMT -5. The time now is 01:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration