session opened for user root by (uid=0)

Mon Jan 30 22:03:02 UTC 2006

Good Evening,

I have a RHEL 4 machine, recently brough online. I see today the following 
entries (hundreds actually) every 5 minutes. There are no entries in root 
crontab. Web search indicates a possible intrusion but the examples I see 
don't refer to crond. Can anyone help?

TIA.

Tom Walter

Jan 29 10:15:01 earth crond(pam_unix)[31492]: session opened for user root by (uid=0)
Jan 29 10:15:01 earth crond(pam_unix)[31492]: session closed for user root
Jan 29 10:20:01 earth crond(pam_unix)[31514]: session opened for user root by (uid=0)
Jan 29 10:20:01 earth crond(pam_unix)[31515]: session opened for user root by (uid=0)
Jan 29 10:20:01 earth crond(pam_unix)[31514]: session closed for user root
Jan 29 10:20:01 earth crond(pam_unix)[31515]: session closed for user root
Jan 29 10:25:01 earth crond(pam_unix)[31541]: session opened for user root by (uid=0)
Jan 29 10:25:01 earth crond(pam_unix)[31541]: session closed for user root
Jan 29 10:30:01 earth crond(pam_unix)[31563]: session opened for user root by (uid=0)
Jan 29 10:30:01 earth crond(pam_unix)[31564]: session opened for user root by (uid=0)
Jan 29 10:30:01 earth crond(pam_unix)[31563]: session closed for user root
Jan 29 10:30:01 earth crond(pam_unix)[31564]: session closed for user root

==================================================================================

Thomas Walter
Geography & Computer Science Departments
Hunter College of the City University of New York
695 Park Avenue
New York, NY 10021

(212)772-5457 Office
(212)772-5268 Fax
tbwalter at geo.hunter.cuny.edu
http://geography.hunter.cuny.edu/~tbw