• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Syslog with entry "su: (to popuser) root on none"

O

OverWolf

Regular Pleskian
Hi,
I've seen from syslog (and secure log) an amount of this log :

su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
So, I've tried to search in this forum and I found an old thread Plesk Panel - error - backend died that talk about mail problem and a bug.
So, I've investigating in my server and I have found that these entry are logged every day at about 3:15 AM and there is also a strange coincidence: these entry take effect exactly when maillog process itself (and so open a new file for log).

What can I do to resolve this situation ?

P.S.: I'm using Postfix and Dovecot (no qmail)
 
Last edited:
Hi OverWolf,

lines like:
Code: 
su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
and
su: pam_unix(su-l:session): session closed for user popuser
are absolute normal logged login attempts. Could you explain, what do you desire to "resolve" here?
 
Hi UFHH01,

these "normal" logged login attempts are logged only at about 03:00 AM (every day) and then no log is present. Besides they try to log every seconds.

I show you an example :

Oct 9 03:23:18 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:20 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:20 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:22 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:22 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:25 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:25 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:28 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:28 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:31 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:31 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:34 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:34 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:37 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:37 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:39 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:39 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:42 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:42 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:45 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:45 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:48 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:48 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:23:51 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:23:51 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:01 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:02 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:05 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:05 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:08 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:08 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:11 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:11 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:14 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:14 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:17 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:17 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:20 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:20 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:23 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:23 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:26 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:26 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:28 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:28 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:31 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:31 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:34 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:34 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:37 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:37 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:40 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:40 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:41 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:41 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:44 95 su: pam_unix(su-l:session): session closed for user popuser
Oct 9 03:24:44 95 su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Oct 9 03:24:46 95 su: pam_unix(su-l:session): session closed for user popuser
 
Hi OverWolf,

you still don't answer the main question here:

WHAT would you desire to solve here?
What kind of issue/error/problem has been caused?

Without your answers, people can only guess what your desire is and guessing is a very time consuming hobby. :(

In addition, pls. note, that at your found thread we can find as well:
HarryBleckert said:
After extensive log reviews they figured the problem was cause by bruteforce attacks.
Click to expand...
Which leads me to the thought, that without any decent logs and corresponding investigations, you might not be able to get suggestions, how you might be able to protect yourself against these ( possible ) bruteforce attacks on your server. :(
 
Hi UFHH01,

ok, I understand what you mean... So, my question is about, if these lines of log are a foreknowledge of a problem, or these logs are common in Plesk.
Because I've two old servers with Plesk 10.4.4 and 11.0.9 (qmail is installed) and I can find these log for both. Now I'm on 17.5.3 u24 and I find still these logs. What should I think ?
 
Last edited:
Hi OverWolf,

no, these massive existing log - entries at "syslog" for example, as described by you, are not "normal" and as well not Plesk related, or caused by Plesk. This rather points to bots/scripts or even brute force attacks, which you definetely should investigate to elimate it.
 
Hi UFHH01,
I've investigated and I found The problem. It's a cron daily from plesk. In particular 50plesk-daily :
Code: 
# install_statistics
/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php >/dev/null 2>&1

# install_mysqldump
/usr/local/psa/bin/mysqldump.sh >/dev/null 2>&1
In fact my flood log of session for popuser start after some seconds this script is called and finish before that the same script is finished.

in practice I have this popuser flow over the script running time. So I think that it's Plesk related.
 
Hi,

is it possible to know how this script (50plesk-daily) do ? So I can investigate what generate this flood or request.

Thank you
 
Hi UFHH01,
thank you. I've checked the "How to", and I've find the problem that generate this flood. It's the first task :
Code: 
/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/plib/DailyMaintainance/script.php -fCheckForUpdates

I've tried to delete weekly notification email from System Update panel, but the flood still persist. What can I do ?

If this can help I've untick "Automatically install Plesk updates (Recommended)" and "Automatically install system package updates". I have only check "Enable safe updates for system packages". Is this the problem ?

Edit : I've tried another task, and I have the same flood of popuser. I don't understand. I'm on CentOS 7.4 but this problem is present when I was 7.3. Nay, it's present from the first installation (upgrade) of plesk
 
Last edited:
Hi OverWolf,

apart from the ( temporary ) "flood" ( as you call it ), that you described above, which issues/errors/problems do you experience?
 
Hi UFHH01,

until now I don't see any issues or problems. Only this "flood". And as I wrote, it's present on other server 11.0.9 (CentOs 6.8) and 10.4.4 (CentOS 6.7) too.

Plesk show me update for system and for itself. I haven't' look yet other part of task
 
Last edited:
Hi OverWolf,

as there are no issues/errors/problems, I marked this thread as solved. No need for any actions or resolutions.
 
Hi,
probably I have found the "problem" of these flood of popuser. As I read from this forum Atomicorp • View topic - Multiple log entries: "session opened for user popuser", this "problem" is present from many years and as I found it on my server, it depend from a Plesk script.

Particularly are the processes sa-learn and Spamtrain, that check every mailbox to "learn" more about spam. But if I trash every email tagged as spam, how these processes can learn ? So, my question is about: is there a possibility to disable these scripts ?

I have read this : High CPU usage for "sa-learn" and "spamtrain" processes but the article doesn't talk about disable them.
 
You must log in or register to reply here.

Similar threads

I
Using Elastic Stack for Data Analysis and XenForo for Forums
Replies
0
Views
2K
igubaidullin
I
V
Varnish for WordPress in a Docker container
Replies
5
Views
5K
Laurence@
Laurence@
E
Varnish for WordPress in a Docker container in Plesk Onyx
2
Replies
25
Views
12K
Andrew_Pa
A
A
Log entries
Replies
1
Views
3K
AtifQ
A
Back
Top