LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Lots of CRON spam from root. Normal? (http://www.linuxquestions.org/questions/linux-security-4/lots-of-cron-spam-from-root-normal-784695/)

bluesword1969 01-25-2010 04:12 PM

Lots of CRON spam from root. Normal?
 
Take a peek at this:

Code:

Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session closed for user root
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session closed for user root
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:01 localhost CRON[23048]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:02 localhost CRON[23048]: pam_unix(cron:session): session closed for user root
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session closed for user root
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session closed for user root
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:01 localhost CRON[23718]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:02 localhost CRON[23718]: pam_unix(cron:session): session closed for user root
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24016]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:03 localhost CRON[24016]: pam_unix(cron:session): session closed for user root
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session closed for user root
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:01 localhost CRON[24541]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:02 localhost CRON[24541]: pam_unix(cron:session): session closed for user root
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session closed for user root
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session closed for user root
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:02 localhost CRON[25244]: pam_unix(cron:session): session closed for user root
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session closed for user root
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session closed for user root
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:01 localhost CRON[25931]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:02 localhost CRON[25931]: pam_unix(cron:session): session closed for user root
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26229]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:03 localhost CRON[26229]: pam_unix(cron:session): session closed for user root
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session closed for user root
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26828]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:02 localhost CRON[26828]: pam_unix(cron:session): session closed for user root
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session closed for user root
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session closed for user root
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27492]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:02 localhost CRON[27492]: pam_unix(cron:session): session closed for user root
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session closed for user root
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session closed for user root
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:01 localhost CRON[28123]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:02 localhost CRON[28123]: pam_unix(cron:session): session closed for user root
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28459]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:03 localhost CRON[28459]: pam_unix(cron:session): session closed for user root
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session closed for user root
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29058]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:02 localhost CRON[29058]: pam_unix(cron:session): session closed for user root
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session closed for user root
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session closed for user root
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29761]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:02 localhost CRON[29761]: pam_unix(cron:session): session closed for user root
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session closed for user root
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session closed for user root
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:01 localhost CRON[30392]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:02 localhost CRON[30392]: pam_unix(cron:session): session closed for user root
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session closed for user root

EDIT: This is only a teeny chunk of what I see. There are literally thousands, maybe millionses of these stanzas in /var/log/syslog. This machine is Ubuntu, and the last admin had it facing public Internet, with root account ENABLED. GOOD, LORD.

jlinkels 01-25-2010 04:48 PM

That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.

I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks. :)

jlinkels

bluesword1969 01-25-2010 05:25 PM

Quote:

Originally Posted by jlinkels (Post 3840285)
That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.

I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks. :)

jlinkels

I think this CRON spam is email/polling related, which isn't so bad, but again, there's lots more weird stuff about this box - like - HOW ABOUT THE FACT THAT THEY LEFT ROOT OVER SSH ENABLED ON IT FOR GOOD GOD KNOWS HOW LONG.

I'm going home now.

:-)

jlinkels 01-25-2010 07:03 PM

You should see which cron jobs are being run in /var/log/syslog.
It is Debian policy not to install SSH by default, but when you install it, it comes with root login allowed. That is not good.

jlinkels


All times are GMT -5. The time now is 02:34 AM.