Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Please review my Auth & OS changes log for concerns

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 208 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lnr36
      last edited by

      I was just going through my system log entries… can anyone tell me should I be concerned about these entries. It is consistent almost daily in the log. One admin account, I connect frequently to the console using putty. SSH isn’t used. 22 is blocked. SG-1100. Hope someone has some feedback. It’s concerning.
      Thanks

      2024-08-11 11:09:26 [unknown:groupmod| all(1998)

      2024-08-11 11:09:26 unknown:useradd admin(0) home /root made

      2024-08-11 11:09:26 [unknown:useradd admin(0) wheel(0):System Administrator/root./etc/rc.initial

      2024-08-11 11:09:26 [unknown:usermod| root(0) :wheel(0):Charlie &/root:/bin/sh
      2024-08-11 11:09:26 unknown groupmod all(1998)

      2024-08-11 11:09:26 unknowntuserdel admin(0) account removed

      2024-08-09 22:52:28 (unknown:groupmod, admins(1999)

      2024-08-09 22:52:28 [unknown groupmod] all(1998)

      2024-08-09 22:52:28 [unknown:useradd] admin(0) home / root made

      2024-08-09 22:52:28 [unknown.useradd] admin(0) wheel(0): System Administrator:/roott/etc/rc.initial

      2024-08-09 22:52.28 [unknown:usermod] root(0) wheel(0) Charlie 8:/ root:/bin/sh

      2024-08-09 22:52:28 [unknown:groupmod] all(1998)

      2024-08-09 22:52:28 [unknownuserdel] admin(9) account removed

      2024-08-09 22:43:14 [unknown groupmod] admins(1999)

      2024-08-09 22:43:14 [unknown:groupmod| all(1998)

      2024-08-09 22:43:14 (unknown:useradd) admin(0) home /root made

      2024-08-09 22:43:14 (unknown useradd admin(0) whee (0) System Administrator/root:/etc/rc.initial

      2024-08-09 22:43:14 [unknown usermod] root(0):wheel(0): Charlie &/root/bin/sh

      2024-08-09 22:43:14 [unknown:groupmod all(1998)

      2024-08-09 22:43:14 (unknownsuserdel] admin(0) account removed

      2024-07-29 20:43:27 [unknowngroupmodl admins (1999)

      2024-07-29 20:43:27 [unknown.groupmod ali(1998)

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @lnr36
        last edited by

        @lnr36 said in Please review my Auth & OS changes log for concerns:

        It’s concerning.

        Depends.
        Are you the only one with the admin password ?
        Is your SSH only accessible from a trusted (there where device are that you trust) LAN like the LAN ?

        The usermod/useradd could just be a pfSense package that does some things of it own, but I've never see these lines in my system log.
        name like 'ali', and 'Charlie', that's strange indeed.

        The sequence seems to repeat itself .... some script ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        L 1 Reply Last reply Reply Quote 0
        • L
          lnr36 @Gertjan
          last edited by

          @Gertjan
          Yes I’m the only user and Admin and the admin. SSH is disabled and admin access is from management vlan with no internet access.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @lnr36
            last edited by

            @lnr36

            Well, you have these 'names', time to grep ?!

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.