That logging appears because those users have setup cron jobs and an entry is generated every time a job is started. This is fixed in sid (by not using pam's session-interactive) but does not mean you have been hacked through cron.
Regards Javier 2010/3/29, Oz Nahum <nahu...@gmail.com>: > Package: cron > Version: 3.0pl1-106 > Justification: root security hole > Severity: critical > Tags: security > > Hi Guys, > > I am by no means a security expert. > I noticed my server was breached and multiple accounts on it have been > logging via cron over and over again. > > From the auth log: > Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session opened > for user arun by (uid=0) > Mar 29 10:30:01 sinbra CRON[5642]: pam_unix(cron:session): session closed > for user michael > Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session closed > for user arun > Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session opened > for user arun by (uid=0) > Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session opened > for user michael by (uid=0) > Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session closed > for user michael > Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session closed > for user arun > Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session opened > for user michael by (uid=0) > Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session opened > for user arun by (uid=0) > Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session closed > for user michael > Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session closed > for user arun > > as soon as I removed cron, these session openings where stopped. > > I removed cron with the --purge flag, and manually erased everything in the > /etc/ directory which realted to cron. > I then restarted the computer, > > However, as soon as I re-installed cron, these session openings via uid=0 > started again. > > There is a high possibility I'm wrong, and this is not related to cron, so > feel free to downgrade this bug. > > Thanks Oz. > > -- System Information: > Debian Release: squeeze/sid > APT prefers testing > APT policy: (990, 'testing'), (700, 'stable') > Architecture: i386 (i686) > > Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages cron depends on: > ii adduser 3.112 add and remove users and groups > ii debianutils 3.2.2 Miscellaneous utilities > specific t > ii libc6 2.10.2-6 Embedded GNU C Library: Shared > lib > ii libpam0g 1.1.1-2 Pluggable Authentication > Modules l > ii libselinux1 2.0.89-4 SELinux runtime shared > libraries > ii lsb-base 3.2-23 Linux Standard Base 3.2 init > scrip > > Versions of packages cron recommends: > pn exim4 | postfix | mail-transp <none> (no description available) > ii lockfile-progs 0.1.13 Programs for locking and > unlocking > > Versions of packages cron suggests: > ii anacron 2.3-14 cron-like program that doesn't > go > ii checksecurity 2.0.13 basic system security checks > ii logrotate 3.7.8-4 Log rotation utility > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
