Are these log entries normal?

Question

I have noticed high CPU usage, and noticed that user dinko had high CPU usage with the sshd process when I typed top.

User dinko was just some random user that I created and had a Ruby application running.

I have immediateley deleted that user and rebooted the server. Now it's fine, but I'm wondering if there's anything suspicious in this auth.log?

Feb 22 10:43:07 host1 su[11859]: Successful su for host1 by root
Feb 22 10:43:07 host1 su[11859]: + ??? root:host1
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session closed for user host1
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:44:53 host1 sshd[20291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:44:54 host1 sshd[20291]: Failed password for root from 84.209.49.43 port 53108 ssh2
Feb 22 10:45:01 host1 CRON[21063]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:45:01 host1 su[21144]: Successful su for postgres by root
Feb 22 10:45:01 host1 su[21144]: + ??? root:postgres
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session closed for user postgres
Feb 22 10:45:02 host1 CRON[21063]: pam_unix(cron:session): session closed for user root
Feb 22 10:45:04 host1 sshd[20291]: message repeated 5 times: [ Failed password for root from 84.209.49.43 port 53108 ssh2]
Feb 22 10:45:04 host1 sshd[20291]: error: maximum authentication attempts exceeded for root from 84.209.49.43 port 53108 ssh2 [preauth]
Feb 22 10:45:04 host1 sshd[20291]: Disconnecting: Too many authentication failures for root [preauth]
Feb 22 10:45:04 host1 sshd[20291]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no  user=root
Feb 22 10:45:04 host1 sshd[20291]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 22 10:45:06 host1 sshd[16407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:45:09 host1 sshd[16407]: Failed password for root from 116.31.116.49 port 26110 ssh2
Feb 22 10:45:13 host1 sshd[16407]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 26110 ssh2]
Feb 22 10:45:13 host1 sshd[16407]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:45:13 host1 sshd[16407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:46:37 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:46:37 host1 saslauthd[1891]: do_auth         : auth failure: [user=info@brilliantstonegroup.com] [service=smtp] [realm=brilliantstonegroup.com] [mech=pam] [reason=PAM auth error]
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:47:38 host1 sshd[32484]: Received disconnect from 221.194.47.249: 11:  [preauth]
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:48:05 host1 su[3582]: Successful su for projectslcp by root
Feb 22 10:48:05 host1 su[3582]: + ??? root:projectslcp
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:48:06 host1 su[3588]: Successful su for host1 by root
Feb 22 10:48:06 host1 su[3588]: + ??? root:host1
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session closed for user host1
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:48:14 host1 saslauthd[1887]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:48:14 host1 saslauthd[1887]: do_auth         : auth failure: [user=field] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 CRON[12776]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 su[12875]: Successful su for postgres by root
Feb 22 10:50:01 host1 su[12875]: + ??? root:postgres
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session closed for user postgres
Feb 22 10:50:02 host1 CRON[12776]: pam_unix(cron:session): session closed for user root
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:07 host1 su[27944]: Successful su for projectslcp by root
Feb 22 10:53:07 host1 su[27944]: + ??? root:projectslcp
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:53:07 host1 su[27951]: Successful su for host1 by root
Feb 22 10:53:07 host1 su[27951]: + ??? root:host1
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session closed for user host1
Feb 22 10:53:40 host1 sshd[24692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2
Feb 22 10:53:47 host1 sshd[24692]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 46022 ssh2]
Feb 22 10:53:47 host1 sshd[24692]: Received disconnect from 116.31.116.49: 11:  [preauth]
Feb 22 10:53:47 host1 sshd[24692]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49  user=root
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:01 host1 CRON[4705]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:02 host1 su[4849]: Successful su for postgres by root
Feb 22 10:55:02 host1 su[4849]: + ??? root:postgres
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session closed for user postgres
Feb 22 10:55:02 host1 CRON[4705]: pam_unix(cron:session): session closed for user root
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Feb 22 10:55:28 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:55:28 host1 saslauthd[1891]: do_auth         : auth failure: [user=float] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:06 host1 su[19730]: Successful su for projectslcp by root
Feb 22 10:58:06 host1 su[19730]: + ??? root:projectslcp
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root
Feb 22 10:58:06 host1 su[19738]: + ??? root:host1
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session closed for user host1
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session closed for user dinko
Feb 22 11:00:01 host1 CRON[28995]: pam_unix(cron:session): session opened for user root by (uid=0)

score 3 · Answer 1 · edited Mar 14 '17 at 14:49

su and cron made up 73% of your log. And no success of the ssh connection.

su messages mean running cron job only. And cron doing just cron job. So, i think they are normal. If you still think they are suspicious, check out the cron job.

Refer to:

http://www.linuxquestions.org/questions/linux-security-4/su%5B6096%5D-root-nobody-461735/

https://drive.google.com/file/d/0B7ATpknBcvVQZ2tOdmpERUFMeDQ/view?usp=sharing

score 1 · Answer 2 · edited Apr 13 '17 at 12:22

1

I cant see anything that suggests a break in, for any machine connected to the internet there will be entries like this:

Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2

Because there are bots just looking for default user+password combinations.

The entries similar to this:

Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root

Happen whenever you log in, that includes switching to another user, in this specific case your user "root" becomes the user "host1". You may read more about this type of entries in this askubuntu question.

The mitigation techniques I posted here are also valid to harden your SSH server

edited Apr 13 '17 at 12:22

Community

1

answered Feb 23 '17 at 10:15

Purefan

3,560
19
26

I was not connected at that time as root, and was not doing sudo... – Aleksandar Pavić Feb 23 '17 at 17:08
different programs can run as sudo anyways, I suggest you read about /etc/rc.local – Purefan Feb 23 '17 at 17:11

iwaseatenbyagrue · Answer 3 · 2017-03-14T11:04:39.733

The non-CRON events are showing that you are seeing some brute-force login attempts (to SSH and it seems SMTP), but the other activity all looks to be 'fine' - and most likely automated/scripted.

Most of the su activity is from root to a lesser privileged account (i.e. postgres, host1) - this doesn't necessarily prove anything, but it would be unusual for an attacker to gain root, and then seek to use less privileged accounts. But unusual is not the same as impossible - it just seems like a strange way to go if you were looking to compromise a host.

You may want (as has been suggested by @Purefan) to harden your config a bit (disable root logins, use public key in place of (or as well as) passwords), and you may want to put some auditd rules in place to try and provide more insight into the activities you are concerned about. fail2ban may also be worth adding to your server.

On the face of it, other than tightening the server's security, I don't think I see anything that would warrant serious concern.

That being said - if you have the possibility to re-image your host, then I would see no reason not to, if only to try and gain some you peace of mind. There may be other log samples that would show something more concerning (and indeed, more concerning things may have happened without leaving much trace).

Are these log entries normal?

3 Answers3