[SOLVED] Auth.log

d072330 · 11-22-2010, 12:06 PM

I have the following in my auth.log file over and over and over.

Nov 22 17:09:01 server CRON[6889]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 22 17:09:01 server CRON[6889]: pam_unix(cron:session): session closed for user root
Nov 22 17:20:01 server CRON[6993]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Nov 22 17:22:20 server CRON[6993]: pam_unix(cron:session): session closed for user smmsp

I have checked the crontabs for root and users and there are no schedules jobs for anyone.

What can cause this?

udaman · 11-22-2010, 12:27 PM

Look in /etc/cron.d/, or /etc/cron.daily, or any other cron directory for files that run at certain times. Crontab is not the only way cron gets directives.

d072330 · 11-22-2010, 01:10 PM

Here are the listings from cron*. Which one of these culprits should I look at first? Sendmail is not running.

-rw-r--r-- 1 root root 755 May 15 2010 crontab

cron.d:
-rw-r--r-- 1 root root 499 Oct 23 2009 php5
-rw-r--r-- 1 root root 2317 May 21 2010 sendmail

cron.daily:
-rwxr-xr-x 1 root root 633 Aug 18 2009 apache2
-rwxr-xr-x 1 root root 16338 Oct 15 2009 apt
-rwxr-xr-x 1 root root 314 Sep 28 2009 aptitude
-rwxr-xr-x 1 root root 502 May 8 2009 bsdmainutils
-rwxr-xr-x 1 root root 256 Sep 20 2009 dpkg
-rwxr-xr-x 1 root root 89 Aug 20 2009 logrotate
-rwxr-xr-x 1 root root 1270 Sep 7 2009 man-db
-rwxr-xr-x 1 root root 1154 Oct 23 2009 ntp
-rwxr-xr-x 1 root root 3285 Aug 21 2009 sendmail
-rwxr-xr-x 1 root root 3349 Sep 15 2009 standard

cron.hourly:
total 0

cron.monthly:
-rwxr-xr-x 1 root root 129 Sep 15 2009 standard

cron.weekly:
-rwxr-xr-x 1 root root 830 Sep 7 2009 man-db

udaman · 11-22-2010, 02:20 PM

Are you sure sendmail is not running?

Code:

ps -ef | grep sendmail

the user is for sendmail

Code:

grep smmsp /etc/passwd

check the sendmail file in cron.d to see what time it runs, and match it with the log file you posted earlier.

Look in the php5 file and do the same thing, match up the time it runs with your auth.log file.

Look in /etc/pam.d to see if anything there looks unusual.

If you can't find a legitimate program/user running from cron.d then I would run a system scan for a root kit.

http://www.chkrootkit.org/

Check that your firewall is well secured. I've seen root kits that use cron to send home information.

d072330 · 11-22-2010, 02:45 PM

root@server:/var/spool# ps -ef | grep sendmail | grep -v grep

root@server:/var/spool# service sendmail status
MSP: is run via cron (20m)
MTA: is not running
QUE: Same as MTA

I think it is sendmail due to the bold line above. I have removed sendmail and the messages have stopped.

Believe it was this line in /etc/init.d/sendmail. Could be wrong but ...

*/20 * * * * smmsp test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp