Mystery Root user
-
Hi all,
On one of our firewalls running 2.4.4-RELEASE OS in our logs we can see the following:
Dec 6 13:55:25 login login on ttyu0 as root
Dec 6 13:55:29 login login on ttyu0 as root
Dec 6 13:55:34 login login on ttyu0 as root
Dec 6 13:55:38 login login on ttyu0 as root
Dec 6 13:55:43 login login on ttyu0 as root
Dec 6 13:55:47 login login on ttyu0 as root
Dec 6 13:55:52 login login on ttyu0 as root
Dec 6 13:55:56 login login on ttyu0 as root
Dec 6 13:56:01 login login on ttyu0 as root
Dec 6 13:56:05 login login on ttyu0 as root
Dec 6 13:56:09 login login on ttyu0 as root
Dec 6 13:56:14 login login on ttyu0 as root
Dec 6 13:56:18 login login on ttyu0 as root
Dec 6 13:56:23 login login on ttyu0 as root
Dec 6 13:56:27 login login on ttyu0 as rootAnd from CLI we see that it is running some shell:
[2.4.4-RELEASE][admin@xxxx]/root: w
1:57PM up 1:49, 3 users, load averages: 0.49, 0.61, 0.57
USER TTY FROM LOGIN@ IDLE WHAT
root u0 - 1:57PM - -sh (sh)From installed packages we have only OVPN and Zabbix agent.
Any ideas what can cause this?
-
Hi,
ttyu0 = a real COM port (serial) device.
So, check what's hooked up to the Serial (also known as RS232) and rip out the cable. No more logins ^^Btw : follow the cable and you'll find the device => you found the user. All this pretty close to your pfSense box.
-
Hi @Gertjan,
Thank you for clarification and you where right there is a usb/serial connected to the box.
After removal all is good! :) -
You next question will be : my UPS doesn't shut down pfSense anymore ....
(or : what was the usage of this cable ? )