unusual auth.log entry, should i be worried?

frieza · 10-18-2012, 12:47 PM

trying to investigate why a machine crashed, this line appears in the auth.log, is this a problem?

Code:

Oct 18 04:21:01 Radio-One CRON[4092]: pam_unix(cron:session): session closed for user smmsp
Oct 18 04:39:01 Radio-One CRON[4124]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 18 04:39:01 Radio-One CRON[4124]: pam_unix(cron:session): session closed for user root
Oct 18 04:40:01 Radio-One CRON[4133]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 18 04:41:01 Radio-One CRON[4133]: pam_unix(cron:session): session closed for user smmsp
Oct 18 05:00:01 Radio-One CRON[4163]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 18 05:01:02 Radio-One CRON[4163]: pam_unix(cron:session): session closed for Oct 18 10:58:49 Radio-One sshd[871]: Received signal 15; terminating.
Oct 18 10:58:49 Radio-One sshd[1248]: Server listening on 0.0.0.0 port 22.
Oct 18 10:58:49 Radio-One sshd[1248]: Server listening on :: port 22.
Oct 18 11:01:19 Radio-One gdm-session-worker[1173]: pam_unix(gdm-autologin:session): session opened for user jock by (uid=0)
Oct 18 11:01:19 Radio-One gdm-session-worker[1173]: pam_ck_connector(gdm-autologin:session): nox11 mode, ignoring PAM_TTY :0
Oct 18 11:01:20 Radio-One sshd[874]: Received signal 15; terminating.
Oct 18 11:01:20 Radio-One sshd[1322]: Server listening on 0.0.0.0 port 22.
Oct 18 11:01:20 Radio-One sshd[1322]: Server listening on :: port 22.
Oct 18 11:01:21 Radio-One polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.21 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Oct 18 11:01:22 Radio-One dbus-daemon: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.26" (uid=1000 pid=1353 comm="nautilus ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply=0 destination=":1.4" (uid=0 pid=912 comm="/usr/sbin/console-kit-daemon --no-daemon "))

acid_kewpie · 10-18-2012, 01:21 PM

it's just two log entries mangled together. the string "user smmsp\n" just got lost somehow.

frieza · 10-18-2012, 01:27 PM

Quote:

Originally Posted by acid_kewpie

it's just two log entries mangled together. the string "user smmsp\n" just got lost somehow.

that it is, but I should mention that there are similar gaps in other log files, what are the chances of this being an attempt to cover tracks?

unSpawn · 10-18-2012, 01:39 PM

Quote:

Originally Posted by frieza

that it is, but I should mention that there are similar gaps in other log files, what are the chances of this being an attempt to cover tracks?

If and when you question system integrity you don't want to talk about "chances" but properly investigate the cause instead. And unless there's other anomalies you haven't told us about I wouldn't immediately attribute it to malice but check SAR data for resource bottlenecks first.

frieza · 10-18-2012, 01:51 PM

Quote:

Originally Posted by unSpawn

If and when you question system integrity you don't want to talk about "chances" but properly investigate the cause instead. And unless there's other anomalies you haven't told us about I wouldn't immediately attribute it to malice but check SAR data for resource bottlenecks first.

sorry, indeed

I forgot to mention the indication of device eth0 going in and out of promiscuous mode

acid_kewpie · 10-18-2012, 02:52 PM

Actually, there clearly should have been a log in there every 20 minutes from cron, but that's gone. Anything in messages about syslogd dying? That would cover gaps in multiple files.

frieza · 10-18-2012, 03:00 PM

last enties in syslog.1

Code:

Oct 18 04:17:01 Radio-One CRON[4088]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Oct 18 04:20:01 Radio-One CRON[4094]: (smmsp) CMD (test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp)
Oct 18 04:20:01 Radio-One sm-msp-queue[4110]: My unqualified host name (Radio-One) unknown; sleeping for retry
Oct 18 04:21:01 Radio-One sm-msp-queue[4110]: unable to qualify my own domain name (Radio-One) -- using short name
Oct 18 04:28:54 Radio-One kernel: [59589.807974] device eth0 left promiscuous mode

Oct 18 04:39:01 Radio-One CRON[4126]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
Oct 18 04:40:01 Radio-One CRON[4135]: (smmsp) CMD (test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp)
Oct 18 04:40:01 Radio-One sm-msp-queue[4151]: My unqualified host name (Radio-One) unknown; sleeping f
(END)

first entries in syslog

Code:

Oct 18 07:38:21 Radio-One rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="885" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.
Oct 18 07:38:44 Radio-One anacron[4458]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Oct 18 07:38:44 Radio-One sendmail[4631]: My unqualified host name (Radio-One) unknown; sleeping for retry
Oct 18 07:39:01 Radio-One CRON[4635]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)