Logwatch Interpret PAM_pwdb

I would like to ask confirmation if the below Opened Sessions Service SU: was able to su to root or this is just a failed attempt? Also if the Service FTP was a successful login or failed attempt?

If Service SU was just a failed attempt, I would like to ask if the mentioned users was able to login in ssh coz I did not see it in the logs that they were able to logon.

Thankz

--------------------- PAM_pwdb Begin ------------------------

Opened Sessions:
   Service: su
      User xuser - 4 Time(s)
      User admin - 24 Time(s)
   Service: ftp
      User admin - 55 Time(s)

 ---------------------- PAM_pwdb End -------------------------
charlzmikeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

decoleurCommented:
all of those are successful sessions.

you need to get logwatch to also display pam_unix to see sshd sessions opened, invalid users attempting to log in and authentication errors.

HTH

-t
charlzmikeAuthor Commented:
I already checked pam_unix to see the sshd sessions opened, but the users mentioned in Opened Session Service SU: is not in the sshd opened session nor in the failed attempt. Is it possible the this sessions are from other services like ftps or logon from control panels..  im a little confused about the Opened Sessions Service SU: is it possible to do SU when they did not even use sshd since telnet is blocked.

Thanks
decoleurCommented:
yes, if they have a shell they can su to root.

what services are you running on this systm?

look at ftp access logs, it is possible to get to a shell from a unix ftp client.

also it is possible to get shell access from other apps like vi.

also you should be able to go into /var/log and grep for jack and see what files he shows up in.

you probably want to copy all of your log files to a new location so they are not rotated on you.

HTH

-t
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

charlzmikeAuthor Commented:
We are running ftp web dns. Is successful SU should look like this?
SU Sessions:
sampleuser (uid=71) -> john - 1 Time(s)
sampleuser2 (uid=0) -> root - 3 Time(s)

because in our case it doesn't appear only below open session, also the xuser don't have sshd access.

sorry for the headache im giving you, any good advice from you how to solve this is really much appreaciated. the said xuser has account for xuser@domain.com  but xuser alone doen't appear in the userlist...

Jul  4 05:45:44 dxb PAM_pwdb[14766]: (su) session opened for user xuser by (uid=0)
Jul  4 05:45:46 dxb PAM_pwdb[14766]: (su) session closed for user xuser
Jul  4 05:45:46 dxb PAM_pwdb[14770]: (su) session opened for user xuser by (uid=0)
Jul  4 05:45:46 dxb PAM_pwdb[14770]: (su) session closed for user xuser
Jul  4 05:46:00 dxb PAM_pwdb[14886]: (su) session opened for user xuser by (uid=0)
Jul  4 05:46:00 dxb PAM_pwdb[14886]: (su) session closed for user xuser
Jul  4 05:46:00 dxb PAM_pwdb[14888]: (su) session opened for user xuser by (uid=0)
decoleurCommented:
no worries, we all like a good puzzle.

does xuser have ftp access?
charlzmikeAuthor Commented:
xuser@domain.com don't have sshd nor ftp access.   and also as I said there is no xuser in the box only xuser@domain.com ... unless they were able to manage to add xuser to the system in other way around that will not appear in /home directory of users..?
decoleurCommented:
what is their shell set to in /etc/password?
I am asking because they will not always have a directory show up in /home.

For example, I can creat4e a user using "useradd -M foo" and foo will be a new user without a home directory.

Take a quick look at the useradd man page for more tweaks.

HTH

-t
charlzmikeAuthor Commented:
hi,

i checked the /etc/passwd and there is no entry for xuser ... also I even do userdel xuser and username not found..  does it mean the Opened SU sessions are from xuser@domain.com not from xuser alone?  by the way xuser@domain.com has a email account but doesn't have ftp or sshd.

Thankssss
charlzmikeAuthor Commented:
i just really wanted to know from where this things is coming from/??

Jul  4 05:45:44 dxb PAM_pwdb[14766]: (su) session opened for user xuser by (uid=0)
Jul  4 05:45:46 dxb PAM_pwdb[14766]: (su) session closed for user xuser


Thankssss
decoleurCommented:
I do not see why xuser@domain.com could not be xuser, if they tried to telnet into your mail service...

It might be a good idea to check to make sure all of your apps are current.

I keep asking questions because it looks like xuser is part of the admin group because of the uid=0 which would lead me to believe that they have elevated their priviledges and have possibly comprimised you machine.

I am sorry I could not be more help.

-t

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
charlzmikeAuthor Commented:
Thank you very much for your help, I will follow your advice.. Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.