Originally posted by jimval7
OK, I was checking my firewall logs to make sure no intruders were getting in, i was looking and looling, a couple of pings that were not responded to. THEN I see this message:
PAM_unix: (system-auth) session opened for user news by (uid=0)
PAM_unix: (system-auth) session closed for user news
I don't go to user news groups or have news enabled. Is this something I need to be concerned about?
Most likely it didn't authenticate and failed. /var/log/messages will always record like that above, usually making it seem as if someone might have accessed your system, but really didn't. You'll want to check any of your other logs and see if anything matches something similiar to the user news.. etc.. to make for sure they didn't get access. But it doesn't hurt to unplug your machine while checking it out.
For example though, my FTP server doesn't allow anonymous connections.. but the messages file will only indicate this:
Jul 2 04:28:47 blackhole proftpd : connect from 188.8.131.52
Making it seem as if someone actually connected, but when I look at the ftp log, it closed their session as they couldn't login with correct name and password. Hope this eases your mind a bit. But definitely still look into it though.