Submitted by Locutus on Sun, 10/07/2012 - 16:42
On one of my Virtualmin hosting VMs I just found these entries in the auth.log, recurring every 8 minutes:
Oct 7 06:42:10 orion webmin: Timeout of session for
Nothing is given after the "for". There's nothing suspicious at the time in miniserv.log or Webmin's debug.log. Any idea where those entries might come from? My first idea was a break-in attempt, but the entries occur too regularly for that.
Submitted by JamieCameron on Sun, 10/07/2012 - 21:48 Comment #1
That's wierd, it looks like those log messages are due to session database entries being cleared. I don't think this indicates a breakin attempt, but may indicate a bug elsewhere..
Are you using the Virtualmin feature to automatically switch from the
rootlogin to domain owner permissions?
Submitted by Locutus on Mon, 10/08/2012 - 05:24 Comment #2
Hey Jamie, thanks for reply!
I also don't think it's a break-in attempt. It's occurring too regularly for that, exactly one entry every 5-8 minutes.
As for your question, I'm afraid I don't know what feature you mean with "automatically switching from root login to domain owner permissions". Where would I configure/use that feature?
(I suppose, since I don't even know what feature you mean, that I'm not using it. :) Except it's automatically used if not configured otherwise.)
Mmh, I kinda seem to recall that at some point I saw a link "Switch to domain owner" in some menu. But I can't recall where that was, and when I search the Virtualmin built-in help for "Switch", I get no helpful results.
If you need further information or log excerpts, please let me know!
Submitted by JamieCameron on Mon, 10/08/2012 - 12:36 Comment #3
Yes, I'm referring to that "switch to domain user" link .. but if you don't ever use it, it is unlikely to be the cause of this issue.
If you go to Webmin -> Webmin Users -> View Login Sessions , what does the list of active sessions contain?
Submitted by Locutus on Mon, 10/08/2012 - 16:33 Comment #4
I usually don't use "switch to domain user", that's right. I just re-discovered where that link actually is... And that the feature "Webmin login" (logically) needs to be enabled for it to appear at all. :)
In "View Login Sessions", there is indeed an odd entry, one without a user name and IP address, and a garbled Login time:
(I x-ed out some valid data in the list, to protect my customers' privacy.)
When I click "View logs" for the odd entry, I get:
Is it actually possible that this garbled session is around since December 2011?!
I recall that there was a hacking incident last year one day before x-mas eve which required some cleanup, and the log entries there look like the remainder of that cleanup. (If I recall correctly, I started the FTP server back up which I had taken down when the hacking break-in started, configured the root user to be allowed only from certain IP addresses and deleted a compromised domain.)
When clicking on the session ID to, as the screen tells me, "cancel the session and force the user to log in again", it takes about 10 seconds until the page reloads, and then the session is still there. I'll post some debug log entries in a bit.
Submitted by Locutus on Mon, 10/08/2012 - 16:40 Comment #5
Here's the debug.log contents when I click the session ID to delete it:
And this gets logged in
Submitted by JamieCameron on Mon, 10/08/2012 - 16:43 Comment #6
The simplest way to clear this invalid session permanently is to SSH in as
rootand run :
This will force all logged-in users to re-authenticate though.
The fact that this session cannot be deleted suggests that the session DBM file is corrupt somehow..
Submitted by Locutus on Mon, 10/08/2012 - 16:44 Comment #7
I grepped for the session IDs, and found them in
/var/webmin/sessiondb.pag. That file is owned by root:bin and has permissions 700.
Submitted by Locutus on Mon, 10/08/2012 - 16:48 Comment #8
Roger that, forcing users to log in again is no problem. I'll copy the corrupt DB file away in case you need it for debugging purposes! Let me know in that case. :)
So, the reason for those "Timeout" log entries is that every ~8 minutes Webmin tried to clear that garbled session from last xmas from the DB, and failed, so it tried again and again?
Submitted by JamieCameron on Mon, 10/08/2012 - 16:50 Comment #9
Yes, the log entries are due to Webmin trying and failing continually to delete a corrupt session entry,
The next Webmin release will handle this case better.
Submitted by Locutus on Mon, 10/08/2012 - 16:57 Comment #10
Holy cow. So this has been going on for a year and I didn't notice it until just now. I should read my logs better. :|
Actually, the reason why I noticed it just now is because I installed - for that exact reason - "logcheck", which promptly listed those entries as "unknown, better check what's going on there".
In any case, thanks a lot for your time and help, and case closed! :)
Submitted by JamieCameron on Mon, 10/08/2012 - 17:03 Comment #11
Submitted by Issues on Mon, 10/22/2012 - 17:08 Comment #12
Automatically closed -- issue fixed for 2 weeks with no activity.