LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-10-2002, 03:57 PM   #1
jimval7
Member
 
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95

Rep: Reputation: 16
Question /var/log/messages file


OK, I was checking my firewall logs to make sure no intruders were getting in, i was looking and looling, a couple of pings that were not responded to. THEN I see this message:

PAM_unix[3114]: (system-auth) session opened for user news by (uid=0)
PAM_unix[3114]: (system-auth) session closed for user news

I don't go to user news groups or have news enabled. Is this something I need to be concerned about?
 
Old 07-10-2002, 06:18 PM   #2
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Maybe.

If you don't log in as "news" and didn't even know you had a "news" user then I would say unplug your box, and reinstall. It seems that whoever it was has root on your box. When it says session was open by uid=0 that means either the root user or another user with root privileges is on your box. Too bad the message wasn't more descriptive.
 
Old 07-11-2002, 12:54 AM   #3
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 194Reputation: 194
Re: /var/log/messages file

Quote:
Originally posted by jimval7
OK, I was checking my firewall logs to make sure no intruders were getting in, i was looking and looling, a couple of pings that were not responded to. THEN I see this message:

PAM_unix[3114]: (system-auth) session opened for user news by (uid=0)
PAM_unix[3114]: (system-auth) session closed for user news

I don't go to user news groups or have news enabled. Is this something I need to be concerned about?
Most likely it didn't authenticate and failed. /var/log/messages will always record like that above, usually making it seem as if someone might have accessed your system, but really didn't. You'll want to check any of your other logs and see if anything matches something similiar to the user news.. etc.. to make for sure they didn't get access. But it doesn't hurt to unplug your machine while checking it out.

For example though, my FTP server doesn't allow anonymous connections.. but the messages file will only indicate this:

Jul 2 04:28:47 blackhole proftpd[25825] : connect from 210.0.186.132

Making it seem as if someone actually connected, but when I look at the ftp log, it closed their session as they couldn't login with correct name and password. Hope this eases your mind a bit. But definitely still look into it though.
 
Old 07-12-2002, 05:47 AM   #4
mikek147
Member
 
Registered: Mar 2002
Location: Elyria, Ohio
Distribution: Debian, Nothing else required
Posts: 141

Rep: Reputation: 15
If available, you might try running the commands last and lastb. last will show successful logins while lastb will show unsuccessful login attempts. Hope this helps resolve your question. -mk
 
Old 07-17-2002, 04:48 AM   #5
Leffe
LQ Newbie
 
Registered: Apr 2002
Distribution: RH X
Posts: 21

Rep: Reputation: 15
Don't worry. It's just a cron job doing what it's supposed to.
/etc/cron.daily/slrnpull-expire I would suspect.

---------------------------------------------
The slrn-pull package provides the slrnpull utility, which allows you to set up a small news spool for offline news reading using the SLRN news reader. You also need to have the slrn package installed to use the slrnpull utility.
 
Old 07-22-2002, 12:32 AM   #6
jimval7
Member
 
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95

Original Poster
Rep: Reputation: 16
Talking thanks

Thanks Leffe, It was the cron, I didn't get hacked in. Thanks again, I'm glad it was the cron job.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
Handling enormous /var/log/messages file davcefai Linux - General 3 01-25-2005 04:41 AM
cron 'test' message in my /var/log/messages file visaris Linux - Newbie 1 12-13-2004 04:03 PM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 08:38 PM


All times are GMT -5. The time now is 02:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration