Auth.log understand it

Question

I have an ubuntu server and I want to understand if someone enter into it (hacker). I have seen into auth.log many lines like this:

May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session closed for user admin
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session closed for user admin

My user is 'alessandro' and not admin someone is entered with user 'admin' ?

Can someone help me?

score 4 · Answer 1 · answered May 30 '13 at 15:07

4

Your comments reveal files and directory structures which are commonly seen with rootkits. So it's a very high probability that your server has been compromised and taken over. You should begin remediation as soon as possible.

answered May 30 '13 at 15:07

Michael Hampton

252,907

Auth.log understand it

1 Answers1