root email concerns

[dotancohen]

I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as:

Code:

 --------------------- pam_unix Begin ------------------------
 kde-np:
    Unknown Entries:
       session opened for user dotancohen by (uid=0): 1 Time(s)
 ---------------------- pam_unix End -------------------------

 --------------------- Smartd Begin ------------------------
 **Unmatched Entries**
 smartd received signal 15: Terminated
 smartd is exiting (exit status 0)
 ---------------------- Smartd End -------------------------

 --------------------- Selinux Audit Begin ------------------------
  Number of audit daemon starts: 1
  Number of audit daemon stops: 2
 *** Logs which could mean a bug ***
    major=252 name_count=0: freeing multiple contexts (1)
    major=113 name_count=0: freeing multiple contexts (2)
 ---------------------- Selinux Audit End -------------------------

 --------------------- SSHD Begin ------------------------
 SSHD Killed: 1 Time(s)
 SSHD Started: 1 Time(s)
 ---------------------- SSHD End -------------------------

 --------------------- httpd Begin ------------------------
 Requests with error response codes
    404 Not Found
       /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
       /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /favicon.ico: 32 Time(s)
       /javascript/HM_Arrays.js: 1 Time(s)
       /javascript/HM_ScriptDOM.js: 1 Time(s)
       /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
       /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
 ---------------------- httpd End -------------------------

 --------------------- pam_unix Begin ------------------------
 kde:
    Unknown Entries:
       session closed for user dotancohen: 3 Time(s)
       session opened for user dotancohen by (uid=0): 3 Time(s)
 kde-np:
    Unknown Entries:
       session closed for user dotancohen: 3 Time(s)
       session opened for user dotancohen by (uid=0): 2 Time(s)
 su:
    Sessions Opened:
       (uid=500) -> root: 3 Time(s)
 system-config-display:
    Unknown Entries:
       auth could not identify password for [root]: 1 Time(s)
 ---------------------- pam_unix End -------------------------

 --------------------- httpd Begin ------------------------
 Requests with error response codes
    403 Forbidden
       /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
       /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
    404 Not Found
       /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
       /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
       /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
       /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
       /blog/xmlrpc.php: 2 Time(s)
       /blog/xmlsrv/xmlrpc.php: 2 Time(s)
       /blogs/xmlsrv/xmlrpc.php: 2 Time(s)
       /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
       /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /drupal/xmlrpc.php: 2 Time(s)
       /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
       /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
       /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
       /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
       /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
       /phpgroupware/xmlrpc.php: 2 Time(s)
       /wordpress/xmlrpc.php: 2 Time(s)
       /xmlrpc.php: 4 Time(s)
       /xmlrpc/xmlrpc.php: 2 Time(s)
       /xmlsrv/xmlrpc.php: 2 Time(s)
 ---------------------- httpd End -------------------------

 --------------------- pam_unix Begin ------------------------
 kde-np:
    Unknown Entries:
       session closed for user dotancohen: 2 Time(s)
       session opened for user dotancohen by (uid=0): 1 Time(s)
 su:
    Sessions Opened:
       (uid=500) -> root: 3 Time(s)
 ---------------------- pam_unix End -------------------------

These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!

Dotan Cohen
http://technology-sleuth.com/technic...t_is_hdtv.html

[jim]

These messges appear in my server as well

anytime there is a system change or a attempt to chage a file or dir a message gets sent to roots mail
Notrhing to be to concerned here now if it said " sshd from ip address as user XXX permission denied "and you see lines like that then you have concerns

Not checked root's email for a month? That is VERY BAD. I would suggest you have a regular user (UID>500) receive root's email and so avoid logging in as root. Those reports are generated by logwatch.

It is important to check emails regularly, as hacker activity, problems in your system can be highlighted. What would you have done if you had noticed a root login from the other side of the world one month ago?

[dotancohen]

Quote:

Originally Posted by Ergo12

Not checked root's email for a month? That is VERY BAD. I would suggest you have a regular user (UID>500) receive root's email and so avoid logging in as root. Those reports are generated by logwatch.

It is important to check emails regularly, as hacker activity, problems in your system can be highlighted. What would you have done if you had noticed a root login from the other side of the world one month ago?

I know, but I simply cannot give it higher priority in life than it now has. That may be irresponsible, but putting it above other matters would be even more irresponsible.

As for said (theoretical) root login from one month ago, I would format and reinstall. As I am on Fedora Core, which has a lifespan of half a year, I intend on doing this regularly. Backups, backups, backups!

Dotan Cohen