Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:15:01 localhost CRON[22629]: pam_unix(cron:session): session closed for user root
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:17:01 localhost CRON[22669]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:20:01 localhost CRON[22713]: pam_unix(cron:session): session closed for user root
Jan 23 20:20:01 localhost CRON[22714]: pam_unix(cron:session): session closed for user root
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:25:01 localhost CRON[22998]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:01 localhost CRON[23048]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:30:01 localhost CRON[23047]: pam_unix(cron:session): session closed for user root
Jan 23 20:30:02 localhost CRON[23048]: pam_unix(cron:session): session closed for user root
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:35:01 localhost CRON[23294]: pam_unix(cron:session): session closed for user root
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:39:01 localhost CRON[23340]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:40:01 localhost CRON[23382]: pam_unix(cron:session): session closed for user root
Jan 23 20:40:01 localhost CRON[23383]: pam_unix(cron:session): session closed for user root
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:45:01 localhost CRON[23667]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:01 localhost CRON[23718]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:50:01 localhost CRON[23717]: pam_unix(cron:session): session closed for user root
Jan 23 20:50:02 localhost CRON[23718]: pam_unix(cron:session): session closed for user root
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 20:55:01 localhost CRON[23964]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24016]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:00:01 localhost CRON[24013]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24014]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:01 localhost CRON[24015]: pam_unix(cron:session): session closed for user root
Jan 23 21:00:03 localhost CRON[24016]: pam_unix(cron:session): session closed for user root
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:05:01 localhost CRON[24452]: pam_unix(cron:session): session closed for user root
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:09:01 localhost CRON[24498]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:01 localhost CRON[24541]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:10:01 localhost CRON[24540]: pam_unix(cron:session): session closed for user root
Jan 23 21:10:02 localhost CRON[24541]: pam_unix(cron:session): session closed for user root
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:15:01 localhost CRON[24825]: pam_unix(cron:session): session closed for user root
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:17:01 localhost CRON[24865]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:20:01 localhost CRON[24909]: pam_unix(cron:session): session closed for user root
Jan 23 21:20:01 localhost CRON[24910]: pam_unix(cron:session): session closed for user root
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:25:01 localhost CRON[25194]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:30:01 localhost CRON[25243]: pam_unix(cron:session): session closed for user root
Jan 23 21:30:02 localhost CRON[25244]: pam_unix(cron:session): session closed for user root
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:35:01 localhost CRON[25528]: pam_unix(cron:session): session closed for user root
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:39:01 localhost CRON[25574]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:40:01 localhost CRON[25616]: pam_unix(cron:session): session closed for user root
Jan 23 21:40:01 localhost CRON[25617]: pam_unix(cron:session): session closed for user root
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:45:01 localhost CRON[25901]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:01 localhost CRON[25931]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:50:01 localhost CRON[25930]: pam_unix(cron:session): session closed for user root
Jan 23 21:50:02 localhost CRON[25931]: pam_unix(cron:session): session closed for user root
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 21:55:01 localhost CRON[26177]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26229]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:00:01 localhost CRON[26226]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26227]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:01 localhost CRON[26228]: pam_unix(cron:session): session closed for user root
Jan 23 22:00:03 localhost CRON[26229]: pam_unix(cron:session): session closed for user root
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:05:01 localhost CRON[26739]: pam_unix(cron:session): session closed for user root
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:09:01 localhost CRON[26785]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26828]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:10:01 localhost CRON[26827]: pam_unix(cron:session): session closed for user root
Jan 23 22:10:02 localhost CRON[26828]: pam_unix(cron:session): session closed for user root
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:15:01 localhost CRON[27112]: pam_unix(cron:session): session closed for user root
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:17:01 localhost CRON[27132]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:20:01 localhost CRON[27176]: pam_unix(cron:session): session closed for user root
Jan 23 22:20:01 localhost CRON[27177]: pam_unix(cron:session): session closed for user root
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:25:01 localhost CRON[27461]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27492]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:30:01 localhost CRON[27491]: pam_unix(cron:session): session closed for user root
Jan 23 22:30:02 localhost CRON[27492]: pam_unix(cron:session): session closed for user root
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:35:01 localhost CRON[27738]: pam_unix(cron:session): session closed for user root
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:39:01 localhost CRON[27784]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:40:01 localhost CRON[27826]: pam_unix(cron:session): session closed for user root
Jan 23 22:40:01 localhost CRON[27827]: pam_unix(cron:session): session closed for user root
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:45:01 localhost CRON[28073]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:01 localhost CRON[28123]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:50:01 localhost CRON[28122]: pam_unix(cron:session): session closed for user root
Jan 23 22:50:02 localhost CRON[28123]: pam_unix(cron:session): session closed for user root
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 22:55:01 localhost CRON[28407]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28459]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:00:01 localhost CRON[28456]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28457]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:01 localhost CRON[28458]: pam_unix(cron:session): session closed for user root
Jan 23 23:00:03 localhost CRON[28459]: pam_unix(cron:session): session closed for user root
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:05:01 localhost CRON[28969]: pam_unix(cron:session): session closed for user root
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:09:01 localhost CRON[29015]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29058]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:10:01 localhost CRON[29057]: pam_unix(cron:session): session closed for user root
Jan 23 23:10:02 localhost CRON[29058]: pam_unix(cron:session): session closed for user root
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:15:01 localhost CRON[29342]: pam_unix(cron:session): session closed for user root
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:17:01 localhost CRON[29382]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:20:01 localhost CRON[29426]: pam_unix(cron:session): session closed for user root
Jan 23 23:20:01 localhost CRON[29427]: pam_unix(cron:session): session closed for user root
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:25:01 localhost CRON[29711]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29761]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:30:01 localhost CRON[29760]: pam_unix(cron:session): session closed for user root
Jan 23 23:30:02 localhost CRON[29761]: pam_unix(cron:session): session closed for user root
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:35:01 localhost CRON[30007]: pam_unix(cron:session): session closed for user root
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:39:01 localhost CRON[30053]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:40:01 localhost CRON[30095]: pam_unix(cron:session): session closed for user root
Jan 23 23:40:01 localhost CRON[30096]: pam_unix(cron:session): session closed for user root
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:45:01 localhost CRON[30342]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:01 localhost CRON[30392]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:50:01 localhost CRON[30391]: pam_unix(cron:session): session closed for user root
Jan 23 23:50:02 localhost CRON[30392]: pam_unix(cron:session): session closed for user root
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 23 23:55:01 localhost CRON[30638]: pam_unix(cron:session): session closed for user root
EDIT: This is only a teeny chunk of what I see. There are literally thousands, maybe millionses of these stanzas in /var/log/syslog. This machine is Ubuntu, and the last admin had it facing public Internet, with root account ENABLED. GOOD, LORD.
Last edited by bluesword1969; 01-25-2010 at 04:21 PM.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.
I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks.
That is not spam. Apparently root runs a cron job every 5 minutes. When it starts, it has to do PAM authentication. I am not sure you can turn it off, and I would not put any effort in finding out. It is good to see when root is authenticated.
I hope you have a logrotate running on that box so auth.log is being rotated on a daily basis. BTW, if you have a computer connected to the internet, look at that auth.log to see script kiddies attacks.
jlinkels
I think this CRON spam is email/polling related, which isn't so bad, but again, there's lots more weird stuff about this box - like - HOW ABOUT THE FACT THAT THEY LEFT ROOT OVER SSH ENABLED ON IT FOR GOOD GOD KNOWS HOW LONG.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
You should see which cron jobs are being run in /var/log/syslog.
It is Debian policy not to install SSH by default, but when you install it, it comes with root login allowed. That is not good.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.