Hi Javier, Thanks for your message. I've ran a rkhunter on my computer, and it seems like I have a few rootkits in it.
So, feel free to close the bug. On Mon, Mar 29, 2010 at 12:28 PM, Javier Fernandez-Sanguino < j...@computer.org> wrote: > That logging appears because those users have setup cron jobs and an > entry is generated every time a job is started. This is fixed in sid > (by not using pam's session-interactive) but does not mean you have > been hacked through cron. > > Regards > > Javier > > 2010/3/29, Oz Nahum <nahu...@gmail.com>: > > Package: cron > > Version: 3.0pl1-106 > > Justification: root security hole > > Severity: critical > > Tags: security > > > > Hi Guys, > > > > I am by no means a security expert. > > I noticed my server was breached and multiple accounts on it have been > > logging via cron over and over again. > > > > From the auth log: > > Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session opened > > for user arun by (uid=0) > > Mar 29 10:30:01 sinbra CRON[5642]: pam_unix(cron:session): session closed > > for user michael > > Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session closed > > for user arun > > Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session opened > > for user arun by (uid=0) > > Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session opened > > for user michael by (uid=0) > > Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session closed > > for user michael > > Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session closed > > for user arun > > Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session opened > > for user michael by (uid=0) > > Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session opened > > for user arun by (uid=0) > > Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session closed > > for user michael > > Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session closed > > for user arun > > > > as soon as I removed cron, these session openings where stopped. > > > > I removed cron with the --purge flag, and manually erased everything in > the > > /etc/ directory which realted to cron. > > I then restarted the computer, > > > > However, as soon as I re-installed cron, these session openings via uid=0 > > started again. > > > > There is a high possibility I'm wrong, and this is not related to cron, > so > > feel free to downgrade this bug. > > > > Thanks Oz. > > > > -- System Information: > > Debian Release: squeeze/sid > > APT prefers testing > > APT policy: (990, 'testing'), (700, 'stable') > > Architecture: i386 (i686) > > > > Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > Shell: /bin/sh linked to /bin/dash > > > > Versions of packages cron depends on: > > ii adduser 3.112 add and remove users and > groups > > ii debianutils 3.2.2 Miscellaneous utilities > > specific t > > ii libc6 2.10.2-6 Embedded GNU C Library: > Shared > > lib > > ii libpam0g 1.1.1-2 Pluggable Authentication > > Modules l > > ii libselinux1 2.0.89-4 SELinux runtime shared > > libraries > > ii lsb-base 3.2-23 Linux Standard Base 3.2 init > > scrip > > > > Versions of packages cron recommends: > > pn exim4 | postfix | mail-transp <none> (no description available) > > ii lockfile-progs 0.1.13 Programs for locking and > > unlocking > > > > Versions of packages cron suggests: > > ii anacron 2.3-14 cron-like program that > doesn't > > go > > ii checksecurity 2.0.13 basic system security checks > > ii logrotate 3.7.8-4 Log rotation utility > > >