session opened for user root by (uid=0)

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

session opened for user root by (uid=0)

session opened for user root by (uid=0)

2006-01-30 - By Rick Stevens

Back

Reply: 1 2

On Mon, 2006-01-30 at 17:03 -0500, Thomas Walter wrote:
> Good Evening,
>
> I have a RHEL 4 machine, recently brough online. I see today the following
> entries (hundreds actually) every 5 minutes. There are no entries in root
> crontab. Web search indicates a possible intrusion but the examples I see
> don't refer to crond. Can anyone help?
>
> TIA.
>
> Tom Walter
>
>
> Jan 29 10:15:01 earth crond(pam_unix)[31492]: session opened for user root by
(uid=0)
> Jan 29 10:15:01 earth crond(pam_unix)[31492]: session closed for user root
> Jan 29 10:20:01 earth crond(pam_unix)[31514]: session opened for user root by
(uid=0)
> Jan 29 10:20:01 earth crond(pam_unix)[31515]: session opened for user root by
(uid=0)
> Jan 29 10:20:01 earth crond(pam_unix)[31514]: session closed for user root
> Jan 29 10:20:01 earth crond(pam_unix)[31515]: session closed for user root
> Jan 29 10:25:01 earth crond(pam_unix)[31541]: session opened for user root by
(uid=0)
> Jan 29 10:25:01 earth crond(pam_unix)[31541]: session closed for user root
> Jan 29 10:30:01 earth crond(pam_unix)[31563]: session opened for user root by
(uid=0)
> Jan 29 10:30:01 earth crond(pam_unix)[31564]: session opened for user root by
(uid=0)
> Jan 29 10:30:01 earth crond(pam_unix)[31563]: session closed for user root
> Jan 29 10:30:01 earth crond(pam_unix)[31564]: session closed for user root

Those probably aren't intrusion attempts (those will usually be against
an RPC port or sshd).

You may not have anything in root's crontab, but you undoubtedly have
stuff in anacron. Note that those entries are about 5 minutes apart.
Check the contents of "/etc/crontab" and the contents of the files in
the "/etc/cron*" directories and you may get a hint as to what's going
on.

(Hint: Check /etc/cron.d/mrtg and you'll see it runs every 5 minutes.)

Also, check root's mailbox and see if there are messages that coincide
with those log entries. If so, then look at the messages to see that
may give a clue.

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
- Rick Stevens, Senior Systems Engineer rstevens@(protected) -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Microsoft Windows: Proof that P.T. Barnum was right -
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Redhat-install-list mailing list
Redhat-install-list@(protected)
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@(protected)
Subject: unsubscribe

Earn $52 per hosting referral at Lunarpages.