# Confused by Logwatch



## Red_Cat (Jul 29, 2012)

For the last week or so Logwatch has been reporting root logins from TTYv0 when I have not logged in from the console. SSH is allowed only from the local network. The server is in the basement of my house and no one else knows the root login password. It also shows reboots and shutdowns that have not occurred. Here's a sample from the last few days:

```
July 25
**Unmatched Entries**
    login: ROOT LOGIN (root) ON ttyv0: 8 Time(s)
    login: login on ttyv0 as root: 8 Time(s)
    shutdown: reboot by root: : 8 Time(s)

July 29
**Unmatched Entries**
    login: ROOT LOGIN (root) ON ttyv0: 2 Time(s)
    login: login on ttyv0 as root: 2 Time(s)
    shutdown: power-down by root: : 1 Time(s)
```

Yet uptime(1) this morning shows:

```
# uptime
10:07AM  up 48 days,  8:45, 1 user, load averages: 0.00, 0.00, 0.00
```

And last (1) shows:

```
# last
conrade          pts/0    10.0.0.105       Sun Jul 29 09:45   still logged in
conrade          pts/0    10.0.0.105       Wed Jul 25 21:04 - 21:05  (00:01)
conrade          pts/0    10.0.0.105       Wed Jul 25 19:56 - 20:59  (01:03)
conrade          pts/0    10.0.0.105       Tue Jul 24 06:13 - 06:55  (00:41)
conrade          ftp      10.0.0.105       Tue Jul 24 06:07 - 06:13  (00:05)
conrade          ftp      10.0.0.105       Tue Jul 24 06:07 - 06:32  (00:24)
root             ttyv0                     Sat Jul 14 09:27 - 09:27  (00:00)  [B]*This was me*[/B]
conrade          ftp      10.0.0.105       Fri Jul 13 17:17 - 17:18  (00:01)
conrade          pts/0    10.0.0.105       Fri Jul 13 17:14 - 17:26  (00:12)
conrade          ftp      10.0.0.105       Fri Jul 13 17:09 - 17:11  (00:01)
conrade          ftp      10.0.0.105       Fri Jul 13 17:08 - 17:24  (00:15)
conrade          pts/0    10.0.0.105       Wed Jul 11 06:04 - 06:04  (00:00)
```

I have changed the root password and I can find no evidence of any logins in the logs that I know to look at (relative noob when it comes to FreeBSD). I am perplexed by this and if anyone here has any thoughts on how to get to the bottom of this I would be thankful.


----------

