The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 53761] Root was logged into pam using following authentication

Discussion in 'General Discussion' started by bt4, Oct 29, 2011.

  1. bt4

    bt4 Well-Known Member

    Joined:
    Jul 1, 2010
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    hello
    every day i get 100 email from From: cpanel@server1.serverat.net
    Root was logged into pam using following authentication service: system

    how i can stop this
     
  2. ES - George

    ES - George Well-Known Member
    PartnerNOC

    Joined:
    Jun 12, 2011
    Messages:
    142
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Main >> Security Center >> cPHulk Brute Force Protection

    Untick Send a notification upon successful root login when the IP is not whitelisted
     
  3. bt4

    bt4 Well-Known Member

    Joined:
    Jul 1, 2010
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    thank you so much
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think adding your IP to that whitelist might be better than unticking the option to alert you to someone (that's not supposed to be) logging in, don't you? :)
     
  5. ES - George

    ES - George Well-Known Member
    PartnerNOC

    Joined:
    Jun 12, 2011
    Messages:
    142
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Depends if you've got a static or dynamic IP though I suppose.
     
  6. cooty

    cooty Member

    Joined:
    Nov 14, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have the same problem - Root was logged into pam using following authentication service: system
    I've tried adding localhost and 127.0.0.1 to the IP whitelist but I can't block these messages - is there a way?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So there is no IP associated with the successful login and it is localhost logging into root? Do you have users who have sudo su or su capabilities on the machine who would log into their own wheel group user and then switch to root user?
     
  8. cooty

    cooty Member

    Joined:
    Nov 14, 2011
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That's correct, the subject line says: [Server.Name] Root Login from IP
    and there is no IP address. The message content is just: Root was logged into pam using following authentication service: system
    ...and nothing else
    I am currently the only user on the system - I am logged in as root (ssh) - WHM (as root) and cpanel (as other logon)
    The email is received exactly every half hour
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So I checked whether we have any internal cases about the issue and we do. This is being caused by crond root crons running triggering the alert. The cases are 53729 for 11.31/11.32 and 53761 for 11.30. It is fixed in 11.31.1.2 and 11.30.5.0 versions. The changelog to see this would be at Change Logs

    Now, CURRENT is at 11.30.5.1 and would have this issue corrected. RELEASE and STABLE have not yet reached 11.30.5+. If you updated your machine to CURRENT tier, the alerts should quit happening. Otherwise, you would have the option to wait until RELEASE or STABLE reached 11.30.5+ version.

    If you would like to see the version available for each tier, this is located at the following location:

    http://httpupdate.cpanel.net
     
  10. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Has this issue been fully resolved ? Last night at 23:05 when uucp ran we got a "Root was logged into pam" from one server. That server is running WHM 11.32.2 (build 4) CENTOS 6.2 x86_64 standard. Two days ago we put in a ticket for a imagemagick issue [cPanel tickets ID# 2409786] and the support tech upgraded us to 11.32.2.4.

    No other login was reported before or after and I dont see anything in logs or elsewhere to indicate the system was rooted/compromised.
     
  11. graham_w

    graham_w Well-Known Member

    Joined:
    May 25, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Same here. I'm on 11.32.2.6 on Centos 6.2 x64 and got this notification for /scripts/upcp running this morning.
     
  12. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Got another one today, same exact time. Must still be a bug.
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please consider opening a bug report if you feel this issue still exists:

    Submit A Bug Report

    It's important we receive these through our bug reporting system so we can reproduce the issue and create/tag an internal case.

    Thank you.
     
  14. kuroi

    kuroi Registered

    Joined:
    Apr 9, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm still seeing this in WHM 11.32.2.15, so it appears not be fixed yet. Have raised a support request (is that what was meant by submitting a bug report, or is there a different route for that?
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I believe it is atd service rather than crond service causing these messages. atd isn't enabled to run by default on cPanel machines, which means someone had to have switched it on if it is on any of these systems.

    You can check if atd is the one by running the following:

    Code:
    grep pam /var/log/messages
     
  16. kuroi

    kuroi Registered

    Joined:
    Apr 9, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Got a really impressively quick response from cPanel support. It's a known problem at the moment and "unfortunately the suggested resolution until it's resolved is to ignore the emails". But hopefully that means that there's a resolution planned. In the meantime, I'll try filtering these emails in my mail client to throw away those with no IP in the subject line.
     
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    We do appear to have a new internal case (58711) for the atd logging via pam via /var/log/messages. I still highly suggest anyone experiencing this issue check in /var/log/messages if it is atd service.
     
  18. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    If you are only getting one per day you might as well just delete it manually. I dont think its a good idea to filter them and throw away in case some other issue arises and you get more of these for some other reason. I am still getting them but I dont care anymore.
     
  19. RmACK

    RmACK Registered

    Joined:
    Apr 9, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I began receiving similar emails: 4 so far, same time each day, appears to be since a recent update to 11.32.2.15
    The log file for the update that day shows atd starting:

    So this fits with the comment that atd doesn't normally run. Why it was started, I don't know, being fairly new to the admin side of Cpanel (and I am on holiday).
     
  20. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Case 58711 has been resolved in version 11.32.3.15 and later. If you are still experiencing this issue, please let us investigate via http://go.cPanel.net/bugs
     
Loading...

Share This Page