multiple root to user sessions opened showing in logwatch? process or hacked?

[roly]

hi

my logwatch is showing lots of sessions being opened by root for all the users on the server. an example of my logwatch is:

--------------------- pam_unix Begin ------------------------

su-l:
Sessions Opened:
root -> userA: 255 Time(s)
root -> userB: 136 Time(s)
root -> userC: 75 Time(s)
root -> userD: 75 Time(s)
root -> userE: 30 Time(s)


---------------------- pam_unix End -------------------------

in my security log it's showing lts of these lines:

-------------------------------------------
Feb 20 00:12:41 srv su: pam_unix(su-l:session): session opened for user admin by (uid=0)
Feb 20 00:12:41 srv su: pam_unix(su-l:session): session closed for user admin
-----------------------------------------------------------------
this only started showing up in my logwatch last tuesday 14 february. i've not seen it before but coincidently this would have been around the time i updated directadmin with custombuild i think.

is this just a process on the server running under root doing this that is suddenly being logged in logwatch or is this potentially something suspicious and someone has root access?

any advice greatfully appreciated!

regards

roly

 

[zEitEr]

Hello,

First of all you should check your server for malware. Do you allow your users to access your server via SSH? If yes, you might consider disabling SSH access for them. If you don't provide your users with SSH access, then you might need to disable potentially dangerous functions in PHP, as it might be that you've got PHP malware and/or PHP-backdoors through which they try to gain root access.

Secondly, allow "su -" only for users in group "wheel". Add your user in "wheel" group first. On debian you need to create the group.

Feel free to contact me or other guys here on the forums for a private help.

 

[roly]

hi alex

thanks for the advice its appreciated. i've done what you suggest regarding disabling dangerous php functions. i've also done some server hardening suggested by directadmin and lynis that i downloaded and was very helpful. i've ran chkrootkit and rkhunter but it can only check for known rootkits it can't compare my files for alterations as i have only just installed them. however csf hasn't notified me of any modifications of system files.

i found an out of date php script and i'm wondering if they got in there. that has been updated now.

so i will have a look tonight and see if i am still getting the same issues.

have you got any suggestions for a script that can scan php files for added malware i can find them for wordpress but i want it for normal php pages?

anyway thanks again

 

[Richard G]

You could try Linux Malware Detect (click), it works nice and is widely used.

 

[roly]

thanks richard that's just what i'm looking for. i'm running a scan at the moment. all of the commands:

Feb 20 00:12:41 srv su: pam_unix(su-l:session): session opened for user admin by (uid=0)
Feb 20 00:12:41 srv su: pam_unix(su-l:session): session closed for user admin

are automated and come in quick succesion for every user on the server. they come just after midnight at the same time every day. i'm still unsure if this could be some process for example something like logrotate or something. could this be possible that a root process would change to a user and that this would be logged in logwatch?

 

[ditto]

@roly, I don't think you need to worry about this. I think it is related to the new conversion done by DirectAdmin when generating stats by AWstats. Please see this changelog entry: https://www.directadmin.com/features.php?id=1921

Quote:

Then the tricky part, handled by DA is to delete the root owned files (awstats.old), which requires root access.
DA does this very carefully, this is the task.queue command used to do it:
echo "action=delete&value=secure_disposal&user=${USER}&path=${STATS_DIR}.old" >> /usr/local/directadmin/data/task.queue

Also you could post question here to have it confirmed: http://forum.directadmin.com/showthread.php?t=54397 or maybe better ask DirectAdmin support at https://tickets.directadmin.com/

 

[roly]

thanks ditto!

i was just editing my post as i did a search for changed files and at around that time the htaccess files on the awstats folders had been modified at the exact time. so i figured it may have something to do with awstats. what a relief, however the plus point is my server is now much more secure with all the hardening i have undertaken. thanks to you and the others for your help!