Auth.log understand it

Alessandro Minoccheri asked:

I have an ubuntu server and I want to understand if someone enter into it (hacker).
I have seen into auth.log many lines like this:

May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session closed for user admin
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session closed for user admin

My user is ‘alessandro’ and not admin someone is entered with user ‘admin’ ?

Can someone help me?

My answer:


Your comments reveal files and directory structures which are commonly seen with rootkits. So it’s a very high probability that your server has been compromised and taken over. You should begin remediation as soon as possible.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.