False Positives - SU login alert

Post Reply
cpaneltech
Junior Member
Posts: 1
Joined: 19 Sep 2017, 00:49

False Positives - SU login alert

Post by cpaneltech »

I just got 14 messages all stating that my account logged onto root. But that wasn't me. I quickly logged on and checked and see no evidence of any root logins.

Suspecting that these might be older messages just now coming in (from previous days) I checked the email headers and they show that they came in just a minute ago. The /var/log/exim_mainlog also shows that the messages were just sent.

But /var/log/secure is not showing anything other than my connection just now (1 minute later after the emails I received).
I see no evidence in the cPanel logs either to indicate anyone logged on.

The headers look like this:

Delivered-To: myemai@gmail.com
Received: by xx.xx.xxx.x with SMTP id u8csp4377989wmf;
Mon, 18 Sep 2017 16:40:09 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QBsGnk5jREDACTEDzhSm9yxmr8fORCpYKF9j47f69HKEUD7qiPlx9DKJCLj4
X-Received: by xx.xxx.xx.xxx with SMTP id b12mr246190pgt.54.1505778009433;
Mon, 18 Sep 2017 16:40:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1505778009; cv=none;
d=google.com; s=arc-20160816;
b=PQwy5L2bGF+U8GzYllTlNXyYlGVfSPE9ObBBRjXaLggAhKlhO9yfTkzqopCUMwrM9u
KQb39XNC03usGGwLvltREDACTEDaLh3IkOURWMr+5yTboayT8BRwx2dFCq
P7M5eS4t0fbcnkbsYbg2uj87D9GfZIhF91m7K4HHzvLMAJCDX7pQDr+uE47OTQ43CatA
kdXtvlAQm+WBTNTWFAdMxyJdNpREDACTEDaFg0D4Bwvy0ZCWELYUxnNM4YCKhnX
Z4pLJ9/dfK4dGvphVrMrcJ5Sr1RLPokffwptCeaIzbhV4b0kJprP15YbLjf1oHlH8FPt
Ywnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:from:subject:to:sender:domainkey-signature
:dkim-signature:domainkey-signature:dkim-signature
:arc-authentication-results;
bh=0AquT3DE+x9q+3YksH1UmveAErltmpOWQW4j2xZ8BAI=;
b=KnR1zxwLHoItPhBxmfREDACTEDWV5qQj2MZOQVa+BvFzfli7xJ3Ic8LMrZf
eWHuwmxHbqPKb6eOJlmLNAWtAD/2zNWwpo5t1shguNZQcxYke5iryI0rnWHCSr4Y1+rP
RXVwldf9fvREDACTEDWSIK+P5n2xO5eIWW65uVhg1oxlT+Ay7B3giI1dR
R+zN6M8nJW6QJSoabVEQK0+aFdh84UkYMue/SHHaUJY6SXIQ/I3sQA8GOXkELHAM2ec1
e2uQB+JwzQmBOqTfAUzFBrsUIC9vHy3fIOcCaJwROH9aV6Xkcps0WagQWSn+4u8Gv3RZ
ndxw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@mg.myserver.com header.s=krs header.b=Mgu/b8mZ;
dkim=pass header.i=@mailgun.org header.s=mg header.b=kAdEMyDt;
spf=pass (google.com: domain of bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com designates nnn.nnn.nnn.nnn as permitted sender) smtp.mailfrom=bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com
Return-Path: <bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com>
Received: from mail-s94.mailgun.info (mail-s94.mailgun.info. [nnn.nnn.nnn.nnn])
by mx.google.com with UTF8SMTPS id 72si5748708pla.679.2017.09.18.16.40.07
for <myemail@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 18 Sep 2017 16:40:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com designates nnn.nnn.nnn.nnn as permitted sender) client-ip=nnn.nnn.nnn.nnn;
Authentication-Results: mx.google.com;
dkim=pass header.i=@mg.myserver.com header.s=krs header.b=Mgu/b8mZ;
dkim=pass header.i=@mailgun.org header.s=mg header.b=kAdEMyDt;
spf=pass (google.com: domain of bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com designates nnn.nnn.nnn.nnn as permitted sender) smtp.mailfrom=bounce+ba39d0.563c2c-myemail=gmail.com@mg.myserver.com
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.myserver.com; q=dns/txt; s=krs; t=1505778007; h=Date: Message-Id: From: Subject: To: Sender: X-Feedback-Id; bh=REDACTED3DE+x9q+3YksH1UmveAErltmpOWQW4j2xZ8BAI=; b=Mgu/b8mZo3OwsO2Mm+EgwBelFMmW9zQ+ln6DREDACTEDVGuJglqtSCNOG2Tqa3CbiMe ka2ZYAE9Ir2WmDbOZXa5gxrzXJXfx6qtWREDACTEDP3/ZFAxEkRuPROMKunBkvFNj nkYkSM0gIJAYGF1pOpY6iRkGOc0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mg.myserver.com; s=krs; q=dns; h=X-Feedback-Id: Sender: To: Subject: From: Message-Id: Date; b=dQuO038ZNSREDACTEDfwHzwTTEuQm/O6yyXGQP7iYBRnEb8KxRpKyMHXFWUfK8 g+3e+l78J3fLXlnsn1prKLcLFbwONPyZMiBdl0rmnmLREDACTEDfujQ7EbtW2j+xY3ts h75IKX3I9FJILGyBmkCoTvgeSf5hI=
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mailgun.org; q=dns/txt; s=mg; t=1505778007; h=Date: Message-Id: From: Subject: To: Sender: X-Feedback-Id; bh=0AquT3DE+x9q+3YksH1UmveAErltmpOWQW4j2xZ8BAI=; b=kAdEMyDtq5xOs1ywRUO9TwmPMtAFREDACTEDdR0ZU2eZRwsj37aXuBjffKG/TJ+1K LpIYkGud+RwQ3Eja6WxivoXOxp+C2b9LfPoBeF1TREDACTEDqt8Kw1N3hgGagX qdVcb6pdISJUnn2NdEBqsYvoLTc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mailgun.org; s=mg; q=dns; h=X-Feedback-Id: Sender: To: Subject: From: Message-Id: Date; b=b74WWDJ5DREDACTED4CYJucoqiDIV4dsyUp4AVoKgcEQJMaPbcM 5VadY7aNFm6gVcy3fqaOQ8fowIwq6REDACTEDkHkAdkpiPPvlt/Xi54Ewsl8GNrRs4401QFJmn ywUfJhDnpr6G5r6LEW+J6SjPTdbWk=
X-Feedback-Id: 59aed598ff8b9e708f5a53cc:mailgun
Sender: root=server.myserver.com@mg.myserver.com
X-Mailgun-Sending-Ip: nnn.nnn.nnn.nnn
X-Mailgun-Sid: WyI5NTU3ZiIsICJwZXRlci5lbHNuZXJAZ21haWwuY29tIiwgIjU2M2MyYyJd
Received: from server.myserver.com (server.myserver.com [xxx.xx.xx.xxx]) by mxa.mailgun.org with ESMTP id 59c05957.7f67901032b0-smtp-out-n01; Mon, 18 Sep 2017 23:40:07 -0000 (UTC)
Received: from root by server.myserver.com with local (Exim 4.89) (envelope-from <root@server.myserver.com>) id 1du5e1-0003mn-J5 for root@server.myserver.com; Mon, 18 Sep 2017 18:40:05 -0500
To: root@server.myserver.com
Subject: lfd on server.myserver.com: SU login alert - Successful login from myuser(uid=1000) to root
From: <root@server.myserver.com>
Message-Id: <E1du5e1-0003mn-J5@server.myserver.com>
Date: Mon, 18 Sep 2017 18:40:05 -0500

Time: Mon Sep 18 18:40:05 2017 -0500
From: myuser(uid=1000)
To: root
Status: Successful login


Why would I suddenly receive 14 messages like this from lfd when there is no evidence of anyone logging ??
rclemings
Junior Member
Posts: 2
Joined: 04 Nov 2017, 16:56

Re: False Positives - SU login alert

Post by rclemings »

I'm seeing the same thing -- more than 100 false "SU login alert" notices at 7 a.m. today. No apparent cause this time, although in the past it's happened when I do a graceful reboot. It must have something to do with a recent upgrade because I never saw it until a month or two ago.
rclemings
Junior Member
Posts: 2
Joined: 04 Nov 2017, 16:56

Re: False Positives - SU login alert

Post by rclemings »

Here's a clue though -- when this happens, there are an equivalent number of stale entries written to /var/log/secure. This morning at 7 a.m., a bunch of lines dated Aug. 31 through Nov. 3 were written to that log, and sure enough, the number of su logins in that bunch of lines exactly matched the number of lfd notices I got.
reboot+hopeitcomesup
Junior Member
Posts: 6
Joined: 02 Oct 2017, 14:00

Re: False Positives - SU login alert

Post by reboot+hopeitcomesup »

There is a bug in RHEL and presumably GNU Linux - because I am seeing the same thing.
https://bugzilla.redhat.com/show_bug.cgi?id=1216957
The journal dumps some retained old messages into /var/log/messages AND /var/log/secure so you see a chunk of stale entries out of place:

Feb 22 00:15:54 to pure-ftpd: (?@74.x.x.x) [INFO] Logout.
Feb 22 00:16:28 to pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Feb 22 00:16:28 to pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Feb 22 00:20:01 to systemd: Started Session 2007570 of user root.
Feb 22 00:20:01 to systemd: Starting Session 2007570 of user root.
Feb 22 00:20:01 to systemd: Started Session 2007571 of user root.
Feb 22 00:20:01 to systemd: Starting Session 2007571 of user root.
Feb 22 00:20:03 to lfd[22443]: SYSLOG check [lLVwPsLAEbhCmUPYM0oa]
Feb 22 00:20:01 to systemd: Started Session 2007571 of user root.
Feb 22 00:20:01 to systemd: Starting Session 2007571 of user root.
Feb 22 00:20:03 to lfd[22443]: SYSLOG check [lLVwPsLAEbhCmUPYM0oa]
Feb 22 00:21:24 to rsyslogd: imjournal: journal reloaded... [v8.24.0 try http://www.rsyslog.com/e/0 ]
Dec 7 03:14:49 to su: (to root) jimbob on pts/0
Dec 8 08:20:57 to su: (to root) jimbob on pts/0
Dec 17 11:01:33 to su: (to root) jimbob on pts/0
Dec 21 02:42:44 to pure-ftpd: (?@50.x.x.x) [INFO] bobbysue is now logged in

...
Jan 26 15:19:47 to pure-ftpd: (jimmymack@174.x.x.x) [INFO] Logout.
Feb 10 15:15:13 to su: FAILED SU (to root) jimbob on pts/0
Feb 10 15:18:14 to su: (to root) jimbob on pts/0
Feb 18 06:42:08 to su: (to root) root on pts/0
Feb 20 20:47:54 to pure-ftpd: (?@99.x.x.x) [INFO] jimbob is now logged in


LFD then sees these recent entries in /var/log/messages or /var/log/secure - presumably just tailing the log looking for "failed"... and alerts us to them. It seems I mistype my password often enough that I receive a dozen emails all at once; one for each time I mistyped in the last 2 months.

LFD can improve here by either:
- adding the date/time of the log entry into the email so we can rest easy knowing it's not an ACTIVE brute force attempt going on; panic attack first time this happened! :)
- OR BETTER YET, determine that these are old and ignore them ?
Post Reply