Last reports root connections without ip

nowhere

Member
Sep 21, 2012
14
0
1
cPanel Access Level
Root Administrator
Hi,
today I've found these lines using last command:
Code:
....
root     pts/0        85.my.off.ice     Thu Feb 13 11:02 - 11:11  (00:09)
root     pts/1        85.my.off.ice     Thu Feb 13 11:10 - 11:17  (00:06)
root     pts/0        85.my.off.ice     Thu Feb 20 14:25 - 17:18  (02:52)
root     pts/1                               Thu Feb 20 17:06 - 17:06  (00:00)
root     pts/0                               Thu Feb 20 18:17 - 18:17  (00:00)
root     pts/0                               Thu Feb 20 19:13 - 19:13  (00:00)
root     pts/0                               Fri Feb 21 00:19 - 00:19  (00:00)
root     pts/0                               Mon Feb 24 18:17 - 18:17  (00:00)
root     pts/0                               Mon Feb 24 21:43 - 21:43  (00:00)
root     pts/0                               Tue Feb 25 00:19 - 00:19  (00:00)
....
It looks like root has been connected without ip and for zero secons. Also the time of connection is really strange.
So I checked secure and I found this:
Code:
[email protected] [~]# cat /var/log/secure-20140223 |grep atd
Feb 17 00:42:00 host atd[349]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 17 00:42:23 host atd[349]: pam_unix(atd:session): session closed for user root
Feb 18 00:42:00 host atd[13211]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 18 00:42:26 host atd[13211]: pam_unix(atd:session): session closed for user root
Feb 19 00:42:00 host atd[21953]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 19 00:42:22 host atd[21953]: pam_unix(atd:session): session closed for user root
Feb 20 00:42:00 host atd[3980]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 20 00:42:22 host atd[3980]: pam_unix(atd:session): session closed for user root
Feb 21 00:42:00 host atd[19192]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 21 00:42:19 host atd[19192]: pam_unix(atd:session): session closed for user root
Feb 22 00:42:00 host atd[25391]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 22 00:42:23 host atd[25391]: pam_unix(atd:session): session closed for user root
Feb 23 00:42:00 host atd[2208]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 23 00:42:23 host atd[2208]: pam_unix(atd:session): session closed for user root
Does anybody knows what it could be?
Thanks

Andrea
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

The atd service is a task scheduling utility. cPanel uses it for launching the update-analysis process to validate the health of the system after updates. It's normal to see "root" logins from atd.

Thank you.
 

nowhere

Member
Sep 21, 2012
14
0
1
cPanel Access Level
Root Administrator
Hi Michael,
thanks for your explanation.
What sounded me strange was the fact that I've never seen it before 13/02/2014. Has something changed in cPanel since that date?
thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
There are no changes regarding the ATD service that I am aware of unless you updated your version of cPanel from an outdated build.

Thank you.