Stale repeating log entries in /var/log/secure

ottdev

Well-Known Member
Oct 1, 2013
122
4
18
cPanel Access Level
Root Administrator
Server has unexplained entries in /var/log/secure.
It looks like on a weekly basis, PAST entries for pam_unix and unix_chkpwd get dumped into the /var/log/secure file.

See after the first 2 proper entries, some old items are dumped in

[[email protected] jon9n7]# cat /var/log/secure
Nov 13 05:21:14 to atd[30306]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 02:35:23 to sshd[1308]: pam_unix(sshd:session): session closed for user jon9n7
Sep 23 02:43:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 23 06:51:16 to su: pam_unix(su:session): session closed for user root
Sep 23 15:57:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 24 01:06:20 to su: pam_unix(su:session): session closed for user root
Sep 24 10:40:41 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Sep 24 10:40:53 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 27 13:48:36 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 28 00:16:01 to unix_chkpwd[28]: check pass; user unknown
Sep 28 00:16:09 to unix_chkpwd[29]: check pass; user unknown
[[ BUNCH MORE REMOVED ]]
Nov 7 23:29:08 to su: pam_unix(su:session): session closed for user root
Nov 8 20:07:24 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Nov 8 20:14:15 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 9 03:11:21 to su: pam_unix(su:session): session closed for user root
Nov 12 16:24:33 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 14 02:35:23 to su: pam_unix(su:session): session closed for user root
Nov 14 05:21:16 to atd[17367]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 12:57:12 to sshd[1050]: Accepted password for jon9n7 from xx.xx.xx.xx port 9999 ssh2
Nov 14 12:57:12 to sshd[1050]: pam_unix(sshd:session): session opened for user jon9n7 by (uid=0)
A chunk of entries beginning with "Sep 23" were repeatedly inserted on Oct 18, Oct 19, Oct 19, Oct21,Oct 21,Oct 27, Nov 4, Nov 14. The "chunk" is growing as more entries accumulate in whatever log they originally came from. The dates and times are not consistent so they don't appear to be related to any cron. At this point, we know it was sometime after 2:35am and before 4:00am

lfd detects these entries when it runs and sends a "su login failed" email for each auth failure in the chunk, though they aren't "new" activity. The question is how/why are these past entries being randomly copied to the /var/log/secure?
 
Last edited:

rclemings

Well-Known Member
Nov 5, 2007
51
5
58
I've been seeing the same thing for more than a month. I first noticed it happening when I did a graceful server reboot after a WHM update, but lately it's been happening at random times.

I opened a ticket with my server provider, who opened a ticket with cPanel, who said "That seems to be an issue with syslog and not one that would be caused by cPanel or the basic configuration of the cPanel-bundled software."

The server provider then updated the system kernel (two days ago), and I haven't seen any stale pam_unix entries since then, but a little while ago I got a chunk of stale ssh "refused connect from" entries instead, along with a bunch of corresponding lfd reports.

FWIW I have two other cPanel servers at a different provider but haven't seen this problem there. All three run CentOS Linux release 7.4.1708 and cPanel v66.0.29 or v66.0.30.

At this point everybody seems mystified.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hi @ottdev,

Could you open a support ticket using the link in my signature so we can take a closer look and rule out any issues with the cPanel software itself?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

It looks like CentOS has already published the updated rsyslog RPM:

Code:
# rpm -q --changelog rsyslog-8.24.0-12.el7.x86_64|grep 1216957
  resolves: rhbz#1216957
Thank you.