Hi,

I'm doubt when i catch my /var/log/message keeps repeating this message, am i being hacked?

Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session closed for user root
Nov 27 19:20:46 XXXXXXXX sshd(pam_unix)[19000]: session opened for user root by (uid=0)
Nov 27 19:20:46 XXXXXXXX sshd(pam_unix)[19000]: session closed for user root
Nov 27 19:20:57 XXXXXXXX sshd(pam_unix)[19125]: session opened for user root by (uid=0)
Nov 27 19:20:57 XXXXXXXX sshd(pam_unix)[19125]: session closed for user root

These messages repeat itself almost every 10 seconds or so... Anyone facing this?

regards,
Grant Skywalker

First thing you should do regardless the outcome is to disallow root account user logins (PermitRootLogin No) through sshd anyway and restart sshd. Allowing root access to sshd is a bad practice! Next to that make sure you do not allow ssh access from public IP addressess/ranges other than those you really need access from.

Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session closed for user root
So it closes the session the instance it's openend? Weird. Is there any chance there's a script running?
Doesn't your log show any "Accepted (publickey|password for user" lines (grep ssh /$LOGDIR/messages) with IP info?
Does wtmp show any IP info ("last -10")? Else insert an Iptables log rule before allowing ssh access to catch IP info.

If you've got a file integrity checker like Aide, Samhain or even tripwire now would be a good time to run it (if you haven't don't bother installing: too late). Also run Chkrootkit and/or Rootkit Hunter if you have them installed just to be sure.

Hi,
I'm just in for a preventive maintenance for my client and found that weird messages in their recent message log.

I don't know if they have any script running at the back but i was informed that it's a backup server pair with Overland to backup their Windows servers.

Let's presume there should not be any script running at the back, am i safe to suspect something is going wrong?

Nope, they have these servers well protected and no access from outside ip. All internal access whenever possible. Even when i need to checking, i'm not allowed to check from their workstation but in front of the server.

I'm pretty sure they don't deny login sshd from root. What if they only login using root physically in front of the server, will these messages be normal? Because these messages last for hours if not days... I suspected something unlikely correct here.

Nope, there isn't any ip address shown... just repetitive on the same message.

I don't know if they have any script running at the back
Who deployed this setup? Isn't there someone you could ask so you wont break stuff?


Let's presume
The last time I presumed something I SNAFU'ed in the most desastrilicious way.
I vote no against letting presumptions dictate what to do.


there should not be any script running at the back, am i safe to suspect something is going wrong?
Sure. But if it is malicious remains to be seen. It still does look more script-like than anything else. One 'cheap' way to see what commands are issued could be to change shell to rootsh and then peruse the rootsh logs. Before you do you should make certain the box is 'sane' in all other aspects. That means running a file integrity check, check logs for other anomalies and check your auth data and logs. If all fails and you are unable to extract any useful info about this proces, you can always deny root account access in sshd_config and see what breaks :-]


What if they only login using root physically in front of the server, will these messages be normal?
That's one case where it would most certainly not be normal. You would see a pam_unix message from login process.