For the last week or so Logwatch has been reporting root logins from TTYv0 when I have not logged in from the console. SSH is allowed only from the local network. The server is in the basement of my house and no one else knows the root login password. It also shows reboots and shutdowns that have not occurred. Here's a sample from the last few days:
Code:
July 25
**Unmatched Entries**
login: ROOT LOGIN (root) ON ttyv0: 8 Time(s)
login: login on ttyv0 as root: 8 Time(s)
shutdown: reboot by root: : 8 Time(s)
July 29
**Unmatched Entries**
login: ROOT LOGIN (root) ON ttyv0: 2 Time(s)
login: login on ttyv0 as root: 2 Time(s)
shutdown: power-down by root: : 1 Time(s)
Yet
uptime(1) this morning shows:
Code:
# uptime
10:07AM up 48 days, 8:45, 1 user, load averages: 0.00, 0.00, 0.00
And
last (1) shows:
Code:
# last
conrade pts/0 10.0.0.105 Sun Jul 29 09:45 still logged in
conrade pts/0 10.0.0.105 Wed Jul 25 21:04 - 21:05 (00:01)
conrade pts/0 10.0.0.105 Wed Jul 25 19:56 - 20:59 (01:03)
conrade pts/0 10.0.0.105 Tue Jul 24 06:13 - 06:55 (00:41)
conrade ftp 10.0.0.105 Tue Jul 24 06:07 - 06:13 (00:05)
conrade ftp 10.0.0.105 Tue Jul 24 06:07 - 06:32 (00:24)
root ttyv0 Sat Jul 14 09:27 - 09:27 (00:00) *This was me*
conrade ftp 10.0.0.105 Fri Jul 13 17:17 - 17:18 (00:01)
conrade pts/0 10.0.0.105 Fri Jul 13 17:14 - 17:26 (00:12)
conrade ftp 10.0.0.105 Fri Jul 13 17:09 - 17:11 (00:01)
conrade ftp 10.0.0.105 Fri Jul 13 17:08 - 17:24 (00:15)
conrade pts/0 10.0.0.105 Wed Jul 11 06:04 - 06:04 (00:00)
I have changed the root password and I can find no evidence of any logins in the logs that I know to look at (relative noob when it comes to FreeBSD). I am perplexed by this and if anyone here has any thoughts on how to get to the bottom of this I would be thankful.
July 29th, 2012, 16:29
Confused by Logwatch
Similar Threads
Linear Mode
