0

I have found some odd entries all of the sudden in my /var/log/auth.log files. They are showing up every 10-20 seconds or so. There isn't anything in cron that would do this, and I am at a loss of where to look next.

Nov 17 02:21:06 centaur su[7498]: + ??? root:user1
Nov 17 02:21:06 centaur su[7498]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:06 centaur su[7498]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:22 centaur su[7560]: Successful su for user1 by root
Nov 17 02:21:22 centaur su[7560]: + ??? root:user1
Nov 17 02:21:22 centaur su[7560]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:22 centaur su[7560]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:22 centaur su[7572]: Successful su for user1 by root
Nov 17 02:21:22 centaur su[7572]: + ??? root:user1
Nov 17 02:21:22 centaur su[7572]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:22 centaur su[7572]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:38 centaur su[7635]: Successful su for user1 by root
Nov 17 02:21:38 centaur su[7635]: + ??? root:user1
Nov 17 02:21:38 centaur su[7635]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:38 centaur su[7635]: pam_unix(su:session): session closed for user user1
Nov 17 02:21:38 centaur su[7647]: Successful su for user1 by root
Nov 17 02:21:38 centaur su[7647]: + ??? root:user1
Nov 17 02:21:38 centaur su[7647]: pam_unix(su:session): session opened for user user1 by (uid=0)
Nov 17 02:21:38 centaur su[7647]: pam_unix(su:session): session closed for user user1

I was able to get information from top by using the following command, but it was less than helpful:

top -b -d 0.1 -n 11130 >> top-file

The result:

 6342 root      20   0 60928 1676 1260 S   0.0  0.1   0:00.00 su

Is there any way to get lsof to do something similar so I can figure out what exactly is going on? Or is there a better way to go about this?

I tried the following command for lsof, but it didn't seem to work how I needed it:

lsof +r 1 >> lsof-file

Thanks

lext01
  • 21
  • 4
  • I'm assuming you anonimized the username to `user1`, but does it ring any bells? Is it used by any daemons/services perhaps? – Oldskool Nov 17 '15 at 10:07
  • what's running on the server? Any monitoring service like nagios/zabbix? Eventually you can activate debugging on the pam_unix module inside `/etc/pam.d/system-auth` – stoned Nov 17 '15 at 10:37

0 Answers0