Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[Case 53761] Root was logged into pam using following authentication

Discussion in 'General Discussion' started by bt4, Oct 29, 2011.

  1. bt4

    bt4 Well-Known Member

    Joined:
    Jul 1, 2010
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    56
    hello
    every day i get 100 email from From: cpanel@server1.serverat.net
    Root was logged into pam using following authentication service: system

    how i can stop this
     
  2. ES - George

    ES - George Well-Known Member
    PartnerNOC

    Joined:
    Jun 12, 2011
    Messages:
    144
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    Main >> Security Center >> cPHulk Brute Force Protection

    Untick Send a notification upon successful root login when the IP is not whitelisted
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. bt4

    bt4 Well-Known Member

    Joined:
    Jul 1, 2010
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    56
    thank you so much
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,526
    Likes Received:
    428
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think adding your IP to that whitelist might be better than unticking the option to alert you to someone (that's not supposed to be) logging in, don't you? :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ES - George

    ES - George Well-Known Member
    PartnerNOC

    Joined:
    Jun 12, 2011
    Messages:
    144
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    Depends if you've got a static or dynamic IP though I suppose.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cooty

    cooty Member

    Joined:
    Nov 14, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I have the same problem - Root was logged into pam using following authentication service: system
    I've tried adding localhost and 127.0.0.1 to the IP whitelist but I can't block these messages - is there a way?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So there is no IP associated with the successful login and it is localhost logging into root? Do you have users who have sudo su or su capabilities on the machine who would log into their own wheel group user and then switch to root user?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cooty

    cooty Member

    Joined:
    Nov 14, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    That's correct, the subject line says: [Server.Name] Root Login from IP
    and there is no IP address. The message content is just: Root was logged into pam using following authentication service: system
    ...and nothing else
    I am currently the only user on the system - I am logged in as root (ssh) - WHM (as root) and cpanel (as other logon)
    The email is received exactly every half hour
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So I checked whether we have any internal cases about the issue and we do. This is being caused by crond root crons running triggering the alert. The cases are 53729 for 11.31/11.32 and 53761 for 11.30. It is fixed in 11.31.1.2 and 11.30.5.0 versions. The changelog to see this would be at Change Logs

    Now, CURRENT is at 11.30.5.1 and would have this issue corrected. RELEASE and STABLE have not yet reached 11.30.5+. If you updated your machine to CURRENT tier, the alerts should quit happening. Otherwise, you would have the option to wait until RELEASE or STABLE reached 11.30.5+ version.

    If you would like to see the version available for each tier, this is located at the following location:

    http://httpupdate.cpanel.net
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Has this issue been fully resolved ? Last night at 23:05 when uucp ran we got a "Root was logged into pam" from one server. That server is running WHM 11.32.2 (build 4) CENTOS 6.2 x86_64 standard. Two days ago we put in a ticket for a imagemagick issue [cPanel tickets ID# 2409786] and the support tech upgraded us to 11.32.2.4.

    No other login was reported before or after and I dont see anything in logs or elsewhere to indicate the system was rooted/compromised.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. graham_w

    graham_w Well-Known Member

    Joined:
    May 25, 2004
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    156
    Same here. I'm on 11.32.2.6 on Centos 6.2 x64 and got this notification for /scripts/upcp running this morning.
     
  12. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Got another one today, same exact time. Must still be a bug.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,233
    Likes Received:
    1,939
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Please consider opening a bug report if you feel this issue still exists:

    Submit A Bug Report

    It's important we receive these through our bug reporting system so we can reproduce the issue and create/tag an internal case.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. kuroi

    kuroi Registered

    Joined:
    Apr 9, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I'm still seeing this in WHM 11.32.2.15, so it appears not be fixed yet. Have raised a support request (is that what was meant by submitting a bug report, or is there a different route for that?
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I believe it is atd service rather than crond service causing these messages. atd isn't enabled to run by default on cPanel machines, which means someone had to have switched it on if it is on any of these systems.

    You can check if atd is the one by running the following:

    Code:
    grep pam /var/log/messages
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. kuroi

    kuroi Registered

    Joined:
    Apr 9, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Got a really impressively quick response from cPanel support. It's a known problem at the moment and "unfortunately the suggested resolution until it's resolved is to ignore the emails". But hopefully that means that there's a resolution planned. In the meantime, I'll try filtering these emails in my mail client to throw away those with no IP in the subject line.
     
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    We do appear to have a new internal case (58711) for the atd logging via pam via /var/log/messages. I still highly suggest anyone experiencing this issue check in /var/log/messages if it is atd service.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    If you are only getting one per day you might as well just delete it manually. I dont think its a good idea to filter them and throw away in case some other issue arises and you get more of these for some other reason. I am still getting them but I dont care anymore.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. RmACK

    RmACK Registered

    Joined:
    Apr 9, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I began receiving similar emails: 4 so far, same time each day, appears to be since a recent update to 11.32.2.15
    The log file for the update that day shows atd starting:

    So this fits with the comment that atd doesn't normally run. Why it was started, I don't know, being fairly new to the admin side of Cpanel (and I am on holiday).
     
  20. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,216
    Likes Received:
    10
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Case 58711 has been resolved in version 11.32.3.15 and later. If you are still experiencing this issue, please let us investigate via http://go.cPanel.net/bugs
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice