Last reports root connections without ip
Hi,
today I've found these lines using last command:
It looks like root has been connected without ip and for zero secons. Also the time of connection is really strange. So I checked secure and I found this:
Does anybody knows what it could be? Thanks Andrea
....
root pts/0 85.my.off.ice Thu Feb 13 11:02 - 11:11 (00:09)
root pts/1 85.my.off.ice Thu Feb 13 11:10 - 11:17 (00:06)
root pts/0 85.my.off.ice Thu Feb 20 14:25 - 17:18 (02:52)
root pts/1 Thu Feb 20 17:06 - 17:06 (00:00)
root pts/0 Thu Feb 20 18:17 - 18:17 (00:00)
root pts/0 Thu Feb 20 19:13 - 19:13 (00:00)
root pts/0 Fri Feb 21 00:19 - 00:19 (00:00)
root pts/0 Mon Feb 24 18:17 - 18:17 (00:00)
root pts/0 Mon Feb 24 21:43 - 21:43 (00:00)
root pts/0 Tue Feb 25 00:19 - 00:19 (00:00)
....It looks like root has been connected without ip and for zero secons. Also the time of connection is really strange. So I checked secure and I found this:
root@host [~]# cat /var/log/secure-20140223 |grep atd
Feb 17 00:42:00 host atd[349]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 17 00:42:23 host atd[349]: pam_unix(atd:session): session closed for user root
Feb 18 00:42:00 host atd[13211]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 18 00:42:26 host atd[13211]: pam_unix(atd:session): session closed for user root
Feb 19 00:42:00 host atd[21953]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 19 00:42:22 host atd[21953]: pam_unix(atd:session): session closed for user root
Feb 20 00:42:00 host atd[3980]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 20 00:42:22 host atd[3980]: pam_unix(atd:session): session closed for user root
Feb 21 00:42:00 host atd[19192]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 21 00:42:19 host atd[19192]: pam_unix(atd:session): session closed for user root
Feb 22 00:42:00 host atd[25391]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 22 00:42:23 host atd[25391]: pam_unix(atd:session): session closed for user root
Feb 23 00:42:00 host atd[2208]: pam_unix(atd:session): session opened for user root by (uid=0)
Feb 23 00:42:23 host atd[2208]: pam_unix(atd:session): session closed for user rootDoes anybody knows what it could be? Thanks Andrea
-
Hello :) The atd service is a task scheduling utility. cPanel uses it for launching the update-analysis process to validate the health of the system after updates. It's normal to see "root" logins from atd. Thank you. 0 -
Hi Michael, thanks for your explanation. What sounded me strange was the fact that I've never seen it before 13/02/2014. Has something changed in cPanel since that date? thanks 0 -
There are no changes regarding the ATD service that I am aware of unless you updated your version of cPanel from an outdated build. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments