Last reports root connections without ip

[nowhere]

Hi,
today I've found these lines using last command:

....
root     pts/0        85.my.off.ice     Thu Feb 13 11:02 - 11:11  (00:09)
root     pts/1        85.my.off.ice     Thu Feb 13 11:10 - 11:17  (00:06)
root     pts/0        85.my.off.ice     Thu Feb 20 14:25 - 17:18  (02:52)
root     pts/1                               Thu Feb 20 17:06 - 17:06  (00:00)
root     pts/0                               Thu Feb 20 18:17 - 18:17  (00:00)
root     pts/0                               Thu Feb 20 19:13 - 19:13  (00:00)
root     pts/0                               Fri Feb 21 00:19 - 00:19  (00:00)
root     pts/0                               Mon Feb 24 18:17 - 18:17  (00:00)
root     pts/0                               Mon Feb 24 21:43 - 21:43  (00:00)
root     pts/0                               Tue Feb 25 00:19 - 00:19  (00:00)
....

It looks like root has been connected without ip and for zero secons. Also the time of connection is really strange.
So I checked secure and I found this:

[email protected] [~]# cat /var/log/secure-20140223 |grep atd
Feb 17 00:42:00 host atd[349]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 17 00:42:23 host atd[349]: pam_unix(atd:session): session closed for user root
Feb 18 00:42:00 host atd[13211]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 18 00:42:26 host atd[13211]: pam_unix(atd:session): session closed for user root
Feb 19 00:42:00 host atd[21953]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 19 00:42:22 host atd[21953]: pam_unix(atd:session): session closed for user root
Feb 20 00:42:00 host atd[3980]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 20 00:42:22 host atd[3980]: pam_unix(atd:session): session closed for user root
Feb 21 00:42:00 host atd[19192]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 21 00:42:19 host atd[19192]: pam_unix(atd:session): session closed for user root
Feb 22 00:42:00 host atd[25391]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 22 00:42:23 host atd[25391]: pam_unix(atd:session): session closed for user root
Feb 23 00:42:00 host atd[2208]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 23 00:42:23 host atd[2208]: pam_unix(atd:session): session closed for user root

Does anybody knows what it could be?
Thanks

Andrea

 

[cPanelMichael]

Hello

The atd service is a task scheduling utility. cPanel uses it for launching the update-analysis process to validate the health of the system after updates. It's normal to see "root" logins from atd.

Thank you.

 

[nowhere]

Hi Michael,
thanks for your explanation.
What sounded me strange was the fact that I've never seen it before 13/02/2014. Has something changed in cPanel since that date?
thanks

 

[cPanelMichael]

There are no changes regarding the ATD service that I am aware of unless you updated your version of cPanel from an outdated build.

Thank you.