LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Lots of CRON spam from root. Normal?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2010, 04:12 PM   #1
bluesword1969
Member
 
Registered: Jan 2010
Location: East Coast, USA.
Distribution: Gentoo, Debian, OpenBSD.
Posts: 70

Rep: Reputation: 25
Lightbulb Lots of CRON spam from root. Normal?

Take a peek at this:

Code:
Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session closed for user root
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session closed for user root
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:01 localhost CRON[23048]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:02 localhost CRON[23048]: pam_unix(cron:session): session closed for user root
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session closed for user root
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session closed for user root
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:01 localhost CRON[23718]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:02 localhost CRON[23718]: pam_unix(cron:session): session closed for user root
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24016]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:03 localhost CRON[24016]: pam_unix(cron:session): session closed for user root
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session closed for user root
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:01 localhost CRON[24541]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:02 localhost CRON[24541]: pam_unix(cron:session): session closed for user root
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session closed for user root
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session closed for user root
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:02 localhost CRON[25244]: pam_unix(cron:session): session closed for user root
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session closed for user root
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session closed for user root
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:01 localhost CRON[25931]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:02 localhost CRON[25931]: pam_unix(cron:session): session closed for user root
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26229]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:03 localhost CRON[26229]: pam_unix(cron:session): session closed for user root
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session closed for user root
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26828]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:02 localhost CRON[26828]: pam_unix(cron:session): session closed for user root
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session closed for user root
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session closed for user root
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27492]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:02 localhost CRON[27492]: pam_unix(cron:session): session closed for user root
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session closed for user root
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session closed for user root
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:01 localhost CRON[28123]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:02 localhost CRON[28123]: pam_unix(cron:session): session closed for user root
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28459]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:03 localhost CRON[28459]: pam_unix(cron:session): session closed for user root
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session closed for user root
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29058]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:02 localhost CRON[29058]: pam_unix(cron:session): session closed for user root
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session closed for user root
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session closed for user root
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29761]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:02 localhost CRON[29761]: pam_unix(cron:session): session closed for user root
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session closed for user root
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session closed for user root
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:01 localhost CRON[30392]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:02 localhost CRON[30392]: pam_unix(cron:session): session closed for user root
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session closed for user root
EDIT: This is only a teeny chunk of what I see. There are literally thousands, maybe millionses of these stanzas in /var/log/syslog. This machine is Ubuntu, and the last admin had it facing public Internet, with root account ENABLED. GOOD, LORD.
Last edited by bluesword1969; 01-25-2010 at 04:21 PM.
 
Old 01-25-2010, 04:48 PM   #2
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195

Rep: Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043
That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.

I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks.

jlinkels
 
Old 01-25-2010, 05:25 PM   #3
bluesword1969
Member
 
Registered: Jan 2010
Location: East Coast, USA.
Distribution: Gentoo, Debian, OpenBSD.
Posts: 70

Original Poster
Rep: Reputation: 25
Cool
Quote:
Originally Posted by jlinkels View Post
That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.

I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks.

jlinkels
I think this CRON spam is email/polling related, which isn't so bad, but again, there's lots more weird stuff about this box - like - HOW ABOUT THE FACT THAT THEY LEFT ROOT OVER SSH ENABLED ON IT FOR GOOD GOD KNOWS HOW LONG.

I'm going home now.

:-)
 
Old 01-25-2010, 07:03 PM   #4
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195

Rep: Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043
You should see which cron jobs are being run in /var/log/syslog.
It is Debian policy not to install SSH by default, but when you install it, it comes with root login allowed. That is not good.

jlinkels
 
  


Reply

Tags
alarm, cracking, cron, false, rootkit



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
my firefox got hacked, messagebox / alert spam / lots of messageboxes H_TeXMeX_H Linux - Software 4 12-01-2009 05:39 AM
Keep getting errors when running cron job that works in normal terminal. Techno Guy Linux - Newbie 6 05-31-2009 06:48 PM
Is my server sending spam ? (qmail question, lots of mails going out) phlampe Linux - Server 6 05-14-2009 02:53 AM
yum check-update as normal user misses lots of updates humbletech99 Red Hat 2 05-09-2008 03:16 AM
Fedora 8 selinux blocks root cron but not user cron Infinity Fedora 7 11-29-2007 08:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:03 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration