Automatic Root Login and Command Execution Every Three Minutes

11.01.11   |  
‎11-01-2011 07:12 AM

Hello all,


I am hoping there is a simple answer for this, but every three minutes or so I am seeing a log being generate that the user "root" logged in and executed "show configuration security | display xml" then logged off. I checked cron and there is nothing set for that time interval. We don't actively use the J-Web, but could it be coming from that. Here are some outputs from what I am seeing:


mgd[72725]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [72725], ssh-connection '', client-mode 'cli'

mgd[72725]: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration security | display xml '

mgd[72725]: UI_LOGOUT_EVENT: User 'root' logout


% w
10:09AM up 24 days, 9:16, 2 users, load averages: 1.12, 0.69, 0.48
root u0 - 08Oct11 4days cli


There is no serial connection to the device (SRX650) and it is in a clustered setup. Is this a feature of the SRX cluster and how it seems to copy the config over?


Reiterating the concern, it seems to happen about every 3 minutes.


Thanks for your help


Re: Automatic Root Login and Command Execution Every Three Minutes

12.22.11   |  
‎12-22-2011 12:35 PM

I can't remember exactly the cause, it's been about 6 months since having that conversation with juniper, but J-Web and some other services show log messages as root.


Took us by suprise as well.  Is this a cluster?  Use nsm or junos space?


You could disable root logins via ssh see if any change


If my post helped you, please feel free to give me kudos.