The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Last reports root connections without ip

Discussion in 'Security' started by nowhere, Feb 25, 2014.

  1. nowhere

    nowhere Member

    Joined:
    Sep 21, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,
    today I've found these lines using last command:
    Code:
    ....
    root     pts/0        85.my.off.ice     Thu Feb 13 11:02 - 11:11  (00:09)
    root     pts/1        85.my.off.ice     Thu Feb 13 11:10 - 11:17  (00:06)
    root     pts/0        85.my.off.ice     Thu Feb 20 14:25 - 17:18  (02:52)
    root     pts/1                               Thu Feb 20 17:06 - 17:06  (00:00)
    root     pts/0                               Thu Feb 20 18:17 - 18:17  (00:00)
    root     pts/0                               Thu Feb 20 19:13 - 19:13  (00:00)
    root     pts/0                               Fri Feb 21 00:19 - 00:19  (00:00)
    root     pts/0                               Mon Feb 24 18:17 - 18:17  (00:00)
    root     pts/0                               Mon Feb 24 21:43 - 21:43  (00:00)
    root     pts/0                               Tue Feb 25 00:19 - 00:19  (00:00)
    ....
    It looks like root has been connected without ip and for zero secons. Also the time of connection is really strange.
    So I checked secure and I found this:
    Code:
    root@host [~]# cat /var/log/secure-20140223 |grep atd
    Feb 17 00:42:00 host atd[349]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 17 00:42:23 host atd[349]: pam_unix(atd:session): session closed for user root
    Feb 18 00:42:00 host atd[13211]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 18 00:42:26 host atd[13211]: pam_unix(atd:session): session closed for user root
    Feb 19 00:42:00 host atd[21953]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 19 00:42:22 host atd[21953]: pam_unix(atd:session): session closed for user root
    Feb 20 00:42:00 host atd[3980]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 20 00:42:22 host atd[3980]: pam_unix(atd:session): session closed for user root
    Feb 21 00:42:00 host atd[19192]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 21 00:42:19 host atd[19192]: pam_unix(atd:session): session closed for user root
    Feb 22 00:42:00 host atd[25391]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 22 00:42:23 host atd[25391]: pam_unix(atd:session): session closed for user root
    Feb 23 00:42:00 host atd[2208]: pam_unix(atd:session): session opened for user root by (uid=0)
    Feb 23 00:42:23 host atd[2208]: pam_unix(atd:session): session closed for user root
    Does anybody knows what it could be?
    Thanks

    Andrea
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The atd service is a task scheduling utility. cPanel uses it for launching the update-analysis process to validate the health of the system after updates. It's normal to see "root" logins from atd.

    Thank you.
     
  3. nowhere

    nowhere Member

    Joined:
    Sep 21, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,
    thanks for your explanation.
    What sounded me strange was the fact that I've never seen it before 13/02/2014. Has something changed in cPanel since that date?
    thanks
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no changes regarding the ATD service that I am aware of unless you updated your version of cPanel from an outdated build.

    Thank you.
     
Loading...

Share This Page