session opened for user root by (uid=0)

Rick Stevens rstevens at vitalstream.com
Tue Jan 31 00:04:53 UTC 2006 

On Mon, 2006-01-30 at 17:03 -0500, Thomas Walter wrote:
> Good Evening,
> 
> I have a RHEL 4 machine, recently brough online. I see today the following 
> entries (hundreds actually) every 5 minutes. There are no entries in root 
> crontab. Web search indicates a possible intrusion but the examples I see 
> don't refer to crond. Can anyone help?
> 
> TIA.
> 
> Tom Walter
> 
> 
> Jan 29 10:15:01 earth crond(pam_unix)[31492]: session opened for user root by (uid=0)
> Jan 29 10:15:01 earth crond(pam_unix)[31492]: session closed for user root
> Jan 29 10:20:01 earth crond(pam_unix)[31514]: session opened for user root by (uid=0)
> Jan 29 10:20:01 earth crond(pam_unix)[31515]: session opened for user root by (uid=0)
> Jan 29 10:20:01 earth crond(pam_unix)[31514]: session closed for user root
> Jan 29 10:20:01 earth crond(pam_unix)[31515]: session closed for user root
> Jan 29 10:25:01 earth crond(pam_unix)[31541]: session opened for user root by (uid=0)
> Jan 29 10:25:01 earth crond(pam_unix)[31541]: session closed for user root
> Jan 29 10:30:01 earth crond(pam_unix)[31563]: session opened for user root by (uid=0)
> Jan 29 10:30:01 earth crond(pam_unix)[31564]: session opened for user root by (uid=0)
> Jan 29 10:30:01 earth crond(pam_unix)[31563]: session closed for user root
> Jan 29 10:30:01 earth crond(pam_unix)[31564]: session closed for user root

Those probably aren't intrusion attempts (those will usually be against
an RPC port or sshd).

You may not have anything in root's crontab, but you undoubtedly have
stuff in anacron.  Note that those entries are about 5 minutes apart.
Check the contents of "/etc/crontab" and the contents of the files in
the "/etc/cron*" directories and you may get a hint as to what's going
on.

(Hint:  Check /etc/cron.d/mrtg and you'll see it runs every 5 minutes.)

Also, check root's mailbox and see if there are messages that coincide
with those log entries.  If so, then look at the messages to see that
may give a clue.

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-         Microsoft Windows:  Proof that P.T. Barnum was right       -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list