Originally Posted by unSpawn
First thing you should do regardless the outcome is to disallow root account user logins (PermitRootLogin No) through sshd anyway and restart sshd. Allowing root access to sshd is a bad practice! Next to that make sure you do not allow ssh access from public IP addressess/ranges other than those you really need access from.
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix): session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix): session closed for user root
So it closes the session the instance it's openend? Weird. Is there any chance there's a script running?
Doesn't your log show any "Accepted (publickey|password for user" lines (grep ssh /$LOGDIR/messages) with IP info?
Does wtmp show any IP info ("last -10")? Else insert an Iptables log rule before allowing ssh access to catch IP info.
If you've got a file integrity checker like Aide, Samhain or even tripwire now would be a good time to run it (if you haven't don't bother installing: too late). Also run Chkrootkit and/or Rootkit Hunter if you have them installed just to be sure.
I'm just in for a preventive maintenance for my client and found that weird messages in their recent message log.
I don't know if they have any script running at the back but i was informed that it's a backup server pair with Overland to backup their Windows servers.
Let's presume there should not be any script running at the back, am i safe to suspect something is going wrong?
Nope, they have these servers well protected and no access from outside ip. All internal access whenever possible. Even when i need to checking, i'm not allowed to check from their workstation but in front of the server.
I'm pretty sure they don't deny login sshd from root. What if they only login using root physically in front of the server, will these messages be normal? Because these messages last for hours if not days... I suspected something unlikely correct here.
Nope, there isn't any ip address shown... just repetitive on the same message.