Stale repeating log entries in /var/log/secure
#1
Server has unexplained entries in /var/log/secure.
It looks like on a weekly basis, PAST entries for pam_unix and unix_chkpwd get dumped into the /var/log/secure file.

See after the first 2 proper entries, some old items are dumped in

[root@to jon9n7]# cat /var/log/secure
Nov 13 05:21:14 to atd[30306]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 02:35:23 to sshd[1308]: pam_unix(sshd:session): session closed for user jon9n7
Sep 23 02:43:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 23 06:51:16 to su: pam_unix(su:session): session closed for user root
Sep 23 15:57:18 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 24 01:06:20 to su: pam_unix(su:session): session closed for user root
Sep 24 10:40:41 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Sep 24 10:40:53 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 27 13:48:36 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Sep 28 00:16:01 to unix_chkpwd[28]: check pass; user unknown
Sep 28 00:16:09 to unix_chkpwd[29]: check pass; user unknown
[[ BUNCH MORE REMOVED ]]
Nov 7 23:29:08 to su: pam_unix(su:session): session closed for user root
Nov 8 20:07:24 to su: pam_unix(su:auth): authentication failure; logname=jon9n7 uid=1001 euid=0 tty=pts/0 ruser=jon9n7 rhost= user=root
Nov 8 20:14:15 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 9 03:11:21 to su: pam_unix(su:session): session closed for user root
Nov 12 16:24:33 to su: pam_unix(su:session): session opened for user root by jon9n7(uid=1001)
Nov 14 02:35:23 to su: pam_unix(su:session): session closed for user root
Nov 14 05:21:16 to atd[17367]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 14 12:57:12 to sshd[1050]: Accepted password for jon9n7 from xx.xx.xx.xx port 9999 ssh2
Nov 14 12:57:12 to sshd[1050]: pam_unix(sshd:session): session opened for user jon9n7 by (uid=0)
Click to expand...
A chunk of entries beginning with "Sep 23" were repeatedly inserted on Oct 18, Oct 19, Oct 19, Oct21,Oct 21,Oct 27, Nov 4, Nov 14. The "chunk" is growing as more entries accumulate in whatever log they originally came from. The dates and times are not consistent so they don't appear to be related to any cron. At this point, we know it was sometime after 2:35am and before 4:00am

lfd detects these entries when it runs and sends a "su login failed" email for each auth failure in the chunk, though they aren't "new" activity. The question is how/why are these past entries being randomly copied to the /var/log/secure?




Regards,
Vamsi D
Medha Hosting
Cheap dedicated servers & Linux VPS Hosting
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Secure your data center, secure your future with our professional Data Center Securit manoharparakh 0 239 01-20-2023, 07:37 AM
Last Post: manoharparakh
  eNlight Private Cloud - A Scalable, Secure Cloud Hosting Your Applications & Data manoharparakh 0 3,132 01-04-2022, 04:38 AM
Last Post: manoharparakh
  How to Make WordPress Site Secure from Hackers? MiracleMoff 1 712 12-16-2021, 06:58 AM
Last Post: harry_v
  How to Make WordPress Site Secure from Hackers? Lougalvi 0 561 08-26-2021, 11:15 AM
Last Post: Lougalvi
  How to Make WordPress Site Secure from Hackers? Lougalvi 1 639 08-05-2021, 10:30 AM
Last Post: Bileator
  Any reliable web host with Secure SSL Certificate? Lougalvi 7 941 02-19-2021, 06:11 PM
Last Post: JissyKarter
  Secure Your Web Applications Against Online Threats with eNlight WAF manoharparakh 0 573 01-13-2021, 04:44 AM
Last Post: manoharparakh
  HOSTPERL - Secure Hosting | Secure Web Hosting | Shared Hosting hostperl 0 625 07-27-2020, 07:36 AM
Last Post: hostperl
  Get Fast, Flexible And Secure Web Hosting With 30% OFF, Plan Start Rs.49/Month abhilasha 0 813 08-08-2019, 11:52 AM
Last Post: abhilasha
  Reliable hosting providers with Secure SSL Certificates? Glaceptra 7 1,630 06-26-2019, 03:54 PM
Last Post: Upiter

Forum Jump:


Users browsing this thread: 1 Guest(s)