The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any log of Root Access?

Discussion in 'General Discussion' started by Abbas, Aug 30, 2004.

  1. Abbas

    Abbas Member

    Joined:
    Dec 12, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I had followed a guide and set my server up so that I get an email saying that root accessed the server from xxx location (usually the hostname/IP address) and this is working fine as whenever I access the server as root, an email quickly pops up stating my hostname.

    For the last 7-10 days, ever day or every other day, I get three emails in a row saying Root Access from...but then nothing after that! No Hostname, No IP address. I would like to check if someone is actually logging on as root or maybe WHM is doing something?

    Is there any way to see where the root account was accessed from- i.e., locally or through some other server?

    Thanks
    Abbas
     
  2. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    login as root from ssh, and type "w"

    it should show you the curent logins.

    If it shows nothing, ...well i found this behaviour in only 2 cases:

    1. server hacked, so i suggest installing some rootkit hunter
    2. no space left on partition.(like in 0 bytes left). If that is not the case, i suggest you run rkh and then maybe reinstall :)
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you're server is still secure, then you can check your root accesses with:

    last -da | grep root
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    We noticed on one server that at exactly 11pm we get that same issue. E-mail saying blank logged in as root. Now we know the box is secure, it does not show on the last command, no trace anywhere, no cronjobs at that time or anything. It is truely strange, but like clock work at 11pm each and every day we get that same e-mail.

    We have even been logged in and actively monitoring ssh port for connects and nothing. Any suggestions welcomed.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    How odd. Are you sure there are no cronjobs, even user ones? Have you checked in /etc/cron.d/ which is often the culprit of such things?

    I've sat and wracked my brains for a while and cannot think of anything else that would trigger it on such a regular interval.

    It won't appear in last unless there is a successful login, though. Unsuccessful ones may (should) show up in /var/log/secure
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I thought of that as well, but the e-mail is only sent on successfull login. No other security is triggered, not snort, bfd, apf etc...... Anyway when I get a chance later I'll look further into the headers of the e-mail and exim logs to try and get more details.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I wonder if you could get the pty or some other details into the email subject line of the email that is sent to help identify and narrow it down.
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Okay to clarify, it is the shell access alert not the root access alert.

    Actually this is kind of wierd.

    Date and Time e-mail in Outlook received: Sunday 8/29/2004 11:00PM

    Date in e-mail: Alert - Shell Access on: Mon Aug 30 00:00:03 EDT 2004

    Server is in the same timezone and has been matched to my local time.

    From the headers:
    X-Source: /sbin/init
    X-Source-Args: init [3]
    X-Source-Dir: /root

    Command in /etc/profile used

    echo "Alert - Shell Access on: `date`"; who; } | mail -s "Alert: Shell Access on `hostname`" me@domain.com
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    So, do you have any CRON jobs running at midnight ;) Interesting that's it's /sbin/init/ as the accused.
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    DOOOHHH!!!! :eek:

    SuSE Security Checker (slightly customized) :D
     
  11. Abbas

    Abbas Member

    Joined:
    Dec 12, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I went through the log file and it seems that a particular IP logs in successfully between 12:18-12:20 everyday.

    Also, there are a lot of failed attempts everyday with a new IP address. I have installed BFD which should hopefully ban these IPs after a couple of unsuccessful attemps.

    Thanks
    Abbas
     
  12. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    BFD is a great thing to have for these types of things. Try also to determine what that IP is logging in as and also check /etc/passwd file to ensure no id has shell access that shouldn't.
     
Loading...

Share This Page