suspicious entry in /var/log/auth.log
 

i found this entry in my /var/log/auth.log file:

Apr 19 16:27:51 mymachine kde3(pam_unix)[4025]: session opened for user cosmin by (uid=0)
Apr 19 16:28:01 mymachine xinetd[1761]: START: sgi_fam pid=4465 from=<no address>
Apr 19 16:28:10 mymachine sshd(pam_unix)[4480]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:12 mymachine sshd[4480]: Failed password for root from ::ffff:64.14.48.137 port 60972 ssh2
Apr 19 16:28:14 mymachine sshd(pam_unix)[4488]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:16 mymachine sshd[4488]: Failed password for root from ::ffff:64.14.48.137 port 32796 ssh2
Apr 19 16:28:24 mymachine sshd(pam_unix)[4518]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:26 mymachine sshd[4518]: Failed password for root from ::ffff:64.14.48.137 port 32889 ssh2
Apr 19 16:28:27 mymachine sshd(pam_unix)[4522]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:29 mymachine sshd[4522]: Failed password for root from ::ffff:64.14.48.137 port 33084 ssh2
Apr 19 16:28:30 mymachine sshd(pam_unix)[4524]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:32 mymachine sshd[4524]: Failed password for root from ::ffff:64.14.48.137 port 33132 ssh2
Apr 19 16:28:33 mymachine sshd(pam_unix)[4526]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:35 mymachine sshd[4526]: Failed password for root from ::ffff:64.14.48.137 port 33176 ssh2
Apr 19 16:28:36 mymachine sshd(pam_unix)[4528]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:38 mymachine sshd[4528]: Failed password for root from ::ffff:64.14.48.137 port 33234 ssh2
Apr 19 16:28:39 mymachine sshd(pam_unix)[4530]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:41 mymachine sshd[4530]: Failed password for root from ::ffff:64.14.48.137 port 33285 ssh2
Apr 19 17:15:00 mymachine kde3(pam_unix)[4025]: session closed for user cosmin

does this mean that user 'cosmin' logged in and then tried to become root (unsuccessfully) several times?

Re: suspicious entry in /var/log/auth.log
 

Only if the user's IP address was 64.14.48.137. Looks more like the SSH Bruteforce attack (read the sticky thread in this forum).

could he have logged in and then used 64.14.48.137 to get into my machine as root?
is there a way to check that?

Note that the cosmin log entry was generated by kde and also pay attention to the text "session opened for user cosmin by (uid=0)". This means UID 0 (i.e. root) opened a session as cosmin. This is probably part of some sort of scheduled task. I don't use KDE much, nor do I know what the cosmin user is supposed to be running on your machine, so I can't say much more.

The root logins are all failures, if you'll note, and come from sshd. They look just like the brute force attacks mentioned in the sticky thread. Oh, one other thing, you might consider disabling sgi_fam (line 2) unless you need it for something. It has had vulnerabilities in the past.

what is sgi_fam pls any kind of description will be appreciated I'm not sure if it's up & running on my system

and for the bruteforce consider entirely disabling root access through sshd which is set by /etc/ssh/sshd_config allowrootlogin no (or similar)\
you can do su after you log as normal user. also set in sshd config users who are allowed to connect all other will be in log as invalid user or similar..
also pam_tally is a good thing to make it drop after 5 failed attempts lets say for 5minutes :)

also good thing is to change the port and apply rsa keys there is no other way known to me to protect your world listening shell