Entries in auth.log

Discussion in 'General' started by Clouseau, Jan 7, 2015.

  1. Clouseau

    Clouseau Member

    I just got an alert from ossec and I thought my web and possibly server got hacked, damn, and it was like on day in production.
    Jan 7 00:30:01 sudo: root : TTY=unknown ; PWD=/var/www/clients/client1/web3 ; USER=web3 ; COMMAND=/usr/bin/find . -group client1 -print
    Jan 7 00:30:01 sudo: pam_unix(sudo:session): session opened for user web3 by (uid=0)
    Jan 7 00:30:01 sudo: pam_unix(sudo:session): session closed for user web3
    Jan 7 00:30:02 sshd[4893]: Connection closed by 127.0.0.1 [preauth]
    Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client1/web3 ; USER=web3 ; COMMAND=/usr/bin/find . -user www-data -print
    Jan 7 00:30:03 sudo: pam_unix(sudo:session): session opened for user web3 by (uid=0)
    Jan 7 00:30:03 sudo: pam_unix(sudo:session): session closed for user web3
    Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client2/web5 ; USER=web5 ; COMMAND=/usr/bin/find . -group client2 -print
    Jan 7 00:30:03 sudo: pam_unix(sudo:session): session opened for user web5 by (uid=0)
    Jan 7 00:30:03 sudo: pam_unix(sudo:session): session closed for user web5
    Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client2/web5 ; USER=web5 ; COMMAND=/usr/bin/find . -user www-data -print

    Just to realize 10min later it was a cron job of ispconfig... Huh. Btw. above is used for what? So, I probably can't deinstall sudo on ISPconfig server?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Cleanup php session files.

    No. Sudo is important for security as it allows ispconfig to run progremas with with lower permissions then root. In the case above, ispconfig runs the clenup as web user or www-data user and not as root, this ensures that no wrong files can be deleted accidently, even if the client managed somehow to get a hard or softlink to system files.
     
  3. Clouseau

    Clouseau Member

    Got it. Thanks :)
     

Share This Page