Junos
Reply
Visitor
ISDNetworkTech
Posts: 4
Registered: ‎09-08-2011
0

Automatic Root Login and Command Execution Every Three Minutes

Hello all,

 

I am hoping there is a simple answer for this, but every three minutes or so I am seeing a log being generate that the user "root" logged in and executed "show configuration security | display xml" then logged off. I checked cron and there is nothing set for that time interval. We don't actively use the J-Web, but could it be coming from that. Here are some outputs from what I am seeing:

 

mgd[72725]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [72725], ssh-connection '', client-mode 'cli'

mgd[72725]: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration security | display xml '

mgd[72725]: UI_LOGOUT_EVENT: User 'root' logout

 

% w
10:09AM up 24 days, 9:16, 2 users, load averages: 1.12, 0.69, 0.48
USER TTY FROM LOGIN@ IDLE WHAT
root u0 - 08Oct11 4days cli

 

There is no serial connection to the device (SRX650) and it is in a clustered setup. Is this a feature of the SRX cluster and how it seems to copy the config over?

 

Reiterating the concern, it seems to happen about every 3 minutes.

 

Thanks for your help

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: Automatic Root Login and Command Execution Every Three Minutes

I can't remember exactly the cause, it's been about 6 months since having that conversation with juniper, but J-Web and some other services show log messages as root.

 

Took us by suprise as well.  Is this a cluster?  Use nsm or junos space?

 

You could disable root logins via ssh see if any change

________________________________________________


If my post helped you, please feel free to give me kudos.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.