[Case 53761] Root was logged into pam using following authentication

[bt4]

hello
every day i get 100 email from From: [email protected]
Root was logged into pam using following authentication service: system

how i can stop this

 

[ES - George]

Main >> Security Center >> cPHulk Brute Force Protection

Untick Send a notification upon successful root login when the IP is not whitelisted

 

[bt4]

thank you so much

 

[Infopro]

I think adding your IP to that whitelist might be better than unticking the option to alert you to someone (that's not supposed to be) logging in, don't you?

 

[ES - George]

I think adding your IP to that whitelist might be better than unticking the option to alert you to someone (that's not supposed to be) logging in, don't you?

Depends if you've got a static or dynamic IP though I suppose.

 

[cooty]

I have the same problem - Root was logged into pam using following authentication service: system
I've tried adding localhost and 127.0.0.1 to the IP whitelist but I can't block these messages - is there a way?

 

[cPanelTristan]

So there is no IP associated with the successful login and it is localhost logging into root? Do you have users who have sudo su or su capabilities on the machine who would log into their own wheel group user and then switch to root user?

 

[cooty]

That's correct, the subject line says: [Server.Name] Root Login from IP
and there is no IP address. The message content is just: Root was logged into pam using following authentication service: system
...and nothing else
I am currently the only user on the system - I am logged in as root (ssh) - WHM (as root) and cpanel (as other logon)
The email is received exactly every half hour

 

[cPanelTristan]

So I checked whether we have any internal cases about the issue and we do. This is being caused by crond root crons running triggering the alert. The cases are 53729 for 11.31/11.32 and 53761 for 11.30. It is fixed in 11.31.1.2 and 11.30.5.0 versions. The changelog to see this would be at Change Logs

Now, CURRENT is at 11.30.5.1 and would have this issue corrected. RELEASE and STABLE have not yet reached 11.30.5+. If you updated your machine to CURRENT tier, the alerts should quit happening. Otherwise, you would have the option to wait until RELEASE or STABLE reached 11.30.5+ version.

If you would like to see the version available for each tier, this is located at the following location:

http://httpupdate.cpanel.net

 

[nyjimbo]

Has this issue been fully resolved ? Last night at 23:05 when uucp ran we got a "Root was logged into pam" from one server. That server is running WHM 11.32.2 (build 4) CENTOS 6.2 x86_64 standard. Two days ago we put in a ticket for a imagemagick issue [cPanel tickets ID# 2409786] and the support tech upgraded us to 11.32.2.4.

No other login was reported before or after and I dont see anything in logs or elsewhere to indicate the system was rooted/compromised.

 

[graham_w]

Same here. I'm on 11.32.2.6 on Centos 6.2 x64 and got this notification for /scripts/upcp running this morning.

 

[nyjimbo]

Got another one today, same exact time. Must still be a bug.

 

[cPanelMichael]

Hello

Please consider opening a bug report if you feel this issue still exists:

Submit A Bug Report

It's important we receive these through our bug reporting system so we can reproduce the issue and create/tag an internal case.

Thank you.

 

[kuroi]

I'm still seeing this in WHM 11.32.2.15, so it appears not be fixed yet. Have raised a support request (is that what was meant by submitting a bug report, or is there a different route for that?

 

[cPanelTristan]

I believe it is atd service rather than crond service causing these messages. atd isn't enabled to run by default on cPanel machines, which means someone had to have switched it on if it is on any of these systems.

You can check if atd is the one by running the following:

grep pam /var/log/messages

 

[kuroi]

Got a really impressively quick response from cPanel support. It's a known problem at the moment and "unfortunately the suggested resolution until it's resolved is to ignore the emails". But hopefully that means that there's a resolution planned. In the meantime, I'll try filtering these emails in my mail client to throw away those with no IP in the subject line.

 

[cPanelTristan]

We do appear to have a new internal case (58711) for the atd logging via pam via /var/log/messages. I still highly suggest anyone experiencing this issue check in /var/log/messages if it is atd service.

 

[nyjimbo]

Got a really impressively quick response from cPanel support. It's a known problem at the moment and "unfortunately the suggested resolution until it's resolved is to ignore the emails". But hopefully that means that there's a resolution planned. In the meantime, I'll try filtering these emails in my mail client to throw away those with no IP in the subject line.

If you are only getting one per day you might as well just delete it manually. I dont think its a good idea to filter them and throw away in case some other issue arises and you get more of these for some other reason. I am still getting them but I dont care anymore.

 

[RmACK]

I began receiving similar emails: 4 so far, same time each day, appears to be since a recent update to 11.32.2.15
The log file for the update that day shows atd starting:

[20120406.204002] Detected cron=1 (cron mode set from command line)
enable was successful
[atd] Starting : [ OK ]
----------------------------------------------------------------------------------------------------
=> Log opened from /usr/local/cpanel/scripts/upcp at Fri Apr 6 20:40:02 2012
[20120406.204002] Detected cron=1 (cron mode set from command line)
=> Log closed Fri Apr 6 20:40:07 2012
[20120406.204007] mtime on upcp is 1333615256 (Thu Apr 5 20:40:56 2012)
----------------------------------------------------------------------------------------------------
=> Log opened from /usr/local/cpanel/scripts/updatenow at Fri Apr 6 20:40:08 2012
[20120406.204008] Detected version '11.32.2.15' from version file.
[20120406.204008] Target version set to '11.32.2.15'
[20120406.204008] Up to date (11.32.2.15)
=> Log closed Fri Apr 6 20:40:08 2012
=> Log closed Fri Apr 6 20:40:08 2012

So this fits with the comment that atd doesn't normally run. Why it was started, I don't know, being fairly new to the admin side of Cpanel (and I am on holiday).

 

[cPanelDavidG]

Case 58711 has been resolved in version 11.32.3.15 and later. If you are still experiencing this issue, please let us investigate via http://go.cPanel.net/bugs