11-15-2017, 05:48 AM
Server has unexplained entries in /var/log/secure.
It looks like on a weekly basis, PAST entries for pam_unix and unix_chkpwd get dumped into the /var/log/secure file.
See after the first 2 proper entries, some old items are dumped in
[root@to jon9n7]# cat /var/log/secure
Nov 13 05:21:14 to atd[30306]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 02:35:23 to sshd[1308]: pam_unix(sshd:session): session closed for user jon9n7
Sep 23 02:43:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 23 06:51:16 to su: pam_unix(su:session): session closed for user root
Sep 23 15:57:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 24 01:06:20 to su: pam_unix(su:session): session closed for user root
Sep 24 10:40:41 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Sep 24 10:40:53 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 27 13:48:36 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 28 00:16:01 to unix_chkpwd[28]: check pass; user unknown
Sep 28 00:16:09 to unix_chkpwd[29]: check pass; user unknown
[[ BUNCH MORE REMOVED ]]
Nov 7 23:29:08 to su: pam_unix(su:session): session closed for user root
Nov 8 20:07:24 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Nov 8 20:14:15 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 9 03:11:21 to su: pam_unix(su:session): session closed for user root
Nov 12 16:24:33 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 14 02:35:23 to su: pam_unix(su:session): session closed for user root
Nov 14 05:21:16 to atd[17367]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 12:57:12 to sshd[1050]: Accepted password for jon9n7 from xx.xx.xx.xx port 9999 ssh2
Nov 14 12:57:12 to sshd[1050]: pam_unix(sshd:session): session opened for user jon9n7 by (uid=0)
Click to expand...
A chunk of entries beginning with "Sep 23" were repeatedly inserted on Oct 18, Oct 19, Oct 19, Oct21,Oct 21,Oct 27, Nov 4, Nov 14. The "chunk" is growing as more entries accumulate in whatever log they originally came from. The dates and times are not consistent so they don't appear to be related to any cron. At this point, we know it was sometime after 2:35am and before 4:00am
lfd detects these entries when it runs and sends a "su login failed" email for each auth failure in the chunk, though they aren't "new" activity. The question is how/why are these past entries being randomly copied to the /var/log/secure?
Regards,
Vamsi D
Medha Hosting
Cheap dedicated servers & Linux VPS Hosting
It looks like on a weekly basis, PAST entries for pam_unix and unix_chkpwd get dumped into the /var/log/secure file.
See after the first 2 proper entries, some old items are dumped in
[root@to jon9n7]# cat /var/log/secure
Nov 13 05:21:14 to atd[30306]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 02:35:23 to sshd[1308]: pam_unix(sshd:session): session closed for user jon9n7
Sep 23 02:43:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 23 06:51:16 to su: pam_unix(su:session): session closed for user root
Sep 23 15:57:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 24 01:06:20 to su: pam_unix(su:session): session closed for user root
Sep 24 10:40:41 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Sep 24 10:40:53 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 27 13:48:36 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 28 00:16:01 to unix_chkpwd[28]: check pass; user unknown
Sep 28 00:16:09 to unix_chkpwd[29]: check pass; user unknown
[[ BUNCH MORE REMOVED ]]
Nov 7 23:29:08 to su: pam_unix(su:session): session closed for user root
Nov 8 20:07:24 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Nov 8 20:14:15 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 9 03:11:21 to su: pam_unix(su:session): session closed for user root
Nov 12 16:24:33 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 14 02:35:23 to su: pam_unix(su:session): session closed for user root
Nov 14 05:21:16 to atd[17367]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 12:57:12 to sshd[1050]: Accepted password for jon9n7 from xx.xx.xx.xx port 9999 ssh2
Nov 14 12:57:12 to sshd[1050]: pam_unix(sshd:session): session opened for user jon9n7 by (uid=0)
Click to expand...
A chunk of entries beginning with "Sep 23" were repeatedly inserted on Oct 18, Oct 19, Oct 19, Oct21,Oct 21,Oct 27, Nov 4, Nov 14. The "chunk" is growing as more entries accumulate in whatever log they originally came from. The dates and times are not consistent so they don't appear to be related to any cron. At this point, we know it was sometime after 2:35am and before 4:00am
lfd detects these entries when it runs and sends a "su login failed" email for each auth failure in the chunk, though they aren't "new" activity. The question is how/why are these past entries being randomly copied to the /var/log/secure?
Regards,
Vamsi D
Medha Hosting
Cheap dedicated servers & Linux VPS Hosting