How do i know if this logs are normal, and if somenone got into my server?

BlueStarry asked:

last month i was logging into my server as usual and was a mess: programs not working, /home not mounting anymore etc etc

Now i’ve downloaded all the Ubuntu server logs and i’ve noticed that auth is full of lines like this:

    Jun  7 06:57:01 ns375259 CRON[5663]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun  7 06:57:01 ns375259 CRON[5663]: pam_unix(cron:session): session closed for user root

I mean, really full, 2 months + of lines

Root access was denied on my ssh.. i don’t really know what that is.
What i should look for for a security breach in the logs?

EDIT: On another web frontend log:

localhost:80 54.146.18.189 - - [02/Jul/2015:06:17:42 +0200] "HEAD / HTTP/1.1" 200 254 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
localhost:80 54.159.92.113 - - [02/Jul/2015:18:16:54 +0200] "HEAD / HTTP/1.1" 200 254 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
localhost:80 94.102.49.169 - - [02/Jul/2015:23:40:36 +0200] "GET / HTTP/1.1" 200 3594 "-" "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-24-generic"
localhost:80 182.118.45.248 - - [03/Jul/2015:02:41:46 +0200] "GET / HTTP/1.1" 200 3538 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36"

My answer:


The repeated occurrence of “cron” indicates that this session was started by a cron job. It is not indicative of a compromise.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.