Mystery Root user



  • Hi all,

    On one of our firewalls running 2.4.4-RELEASE OS in our logs we can see the following:

    Dec 6 13:55:25 login login on ttyu0 as root
    Dec 6 13:55:29 login login on ttyu0 as root
    Dec 6 13:55:34 login login on ttyu0 as root
    Dec 6 13:55:38 login login on ttyu0 as root
    Dec 6 13:55:43 login login on ttyu0 as root
    Dec 6 13:55:47 login login on ttyu0 as root
    Dec 6 13:55:52 login login on ttyu0 as root
    Dec 6 13:55:56 login login on ttyu0 as root
    Dec 6 13:56:01 login login on ttyu0 as root
    Dec 6 13:56:05 login login on ttyu0 as root
    Dec 6 13:56:09 login login on ttyu0 as root
    Dec 6 13:56:14 login login on ttyu0 as root
    Dec 6 13:56:18 login login on ttyu0 as root
    Dec 6 13:56:23 login login on ttyu0 as root
    Dec 6 13:56:27 login login on ttyu0 as root

    And from CLI we see that it is running some shell:

    [2.4.4-RELEASE][admin@xxxx]/root: w
    1:57PM up 1:49, 3 users, load averages: 0.49, 0.61, 0.57
    USER TTY FROM LOGIN@ IDLE WHAT
    root u0 - 1:57PM - -sh (sh)

    From installed packages we have only OVPN and Zabbix agent.

    Any ideas what can cause this?



  • Hi,

    ttyu0 = a real COM port (serial) device.
    So, check what's hooked up to the Serial (also known as RS232) and rip out the cable. No more logins ^^

    Btw : follow the cable and you'll find the device => you found the user. All this pretty close to your pfSense box.



  • Hi @Gertjan,

    Thank you for clarification and you where right there is a usb/serial connected to the box.
    After removal all is good! :)



  • 👍

    You next question will be : my UPS doesn't shut down pfSense anymore ....
    (or : what was the usage of this cable ? )