messages logs on our management server show action...

Parabol · ‎2023-10-03

Hello! Quite a strange one, I happened to be looking into the /var/log/messages of our management server, and I saw continuous log entries from my own user account (lets call it "Bob"), seemingly running two different commands on repeat at different hours of the day. The commands running look to be "ver" and "show web ssl-port".

There doesn't look to be a pattern in the interval it occurs. It might not happen for a few hours, then it'll spam over several hours. I don't have any scripts running that I am aware of. In the secure logs, there are no suspicious authentication entries from my account. So this session must have been open for a long time.

Has anybody seen anything like this before? All I can imagine is that an old session is stuck or something like this, and it is randomly cycling through these commands.. so strange. And it goes back as far as I can see in "messages.10" from August.

Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6400 t
Oct 3 00:31:34 2023 MgmtServer clish[6400]: User bob running clish -c with ReadWrite permission
Oct 3 00:31:34 2023 MgmtServer clish[6400]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer clish[6400]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6400
Oct 3 00:31:34 2023 MgmtServer clish[6400]: User bob finished running clish -c from CLI shell
Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6399 t
Oct 3 00:31:34 2023 MgmtServer clish[6399]: User bob running clish -c with ReadWrite permission
Oct 3 00:31:34 2023 MgmtServer clish[6399]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer clish[6399]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6399
Oct 3 00:31:34 2023 MgmtServer clish[6399]: User bob finished running clish -c from CLI shell
Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6421 t
Oct 3 00:31:34 2023 MgmtServer clish[6421]: User bob running clish -c with ReadWrite permission
Oct 3 00:31:34 2023 MgmtServer clish[6421]: cmd by bob: Start executing : ver (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer clish[6421]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:34 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6421
Oct 3 00:31:34 2023 MgmtServer clish[6421]: User bob finished running clish -c from CLI shell
Oct 3 00:31:35 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:6516 t
Oct 3 00:31:35 2023 MgmtServer clish[6516]: User bob running clish -c with ReadWrite permission
Oct 3 00:31:35 2023 MgmtServer clish[6516]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:35 2023 MgmtServer clish[6516]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)
Oct 3 00:31:35 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:6516
Oct 3 00:31:35 2023 MgmtServer clish[6516]: User bob finished running clish -c from CLI shell

Aug 30 15:13:05 2023 MgmtServer clish[27479]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:05 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27479
Aug 30 15:13:05 2023 MgmtServer clish[27479]: User bob finished running clish -c from CLI shell
Aug 30 15:13:06 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27513 t
Aug 30 15:13:06 2023 MgmtServer clish[27513]: User bob running clish -c with ReadWrite permission
Aug 30 15:13:06 2023 MgmtServer clish[27513]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:06 2023 MgmtServer clish[27513]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:06 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27513
Aug 30 15:13:06 2023 MgmtServer clish[27513]: User bob finished running clish -c from CLI shell
Aug 30 15:13:07 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27540 t
Aug 30 15:13:07 2023 MgmtServer clish[27540]: User bob running clish -c with ReadWrite permission
Aug 30 15:13:07 2023 MgmtServer clish[27540]: cmd by bob: Start executing : show web ... (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:07 2023 MgmtServer clish[27540]: cmd by bob: Processing : show web ssl-port (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:07 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27540
Aug 30 15:13:07 2023 MgmtServer clish[27540]: User bob finished running clish -c from CLI shell
Aug 30 15:13:13 2023 MgmtServer xpand[7609]: bob localhost t +volatile:clish:bob:27624 t
Aug 30 15:13:13 2023 MgmtServer clish[27624]: User bob running clish -c with ReadWrite permission
Aug 30 15:13:13 2023 MgmtServer clish[27624]: cmd by bob: Start executing : ver (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:13 2023 MgmtServer clish[27624]: cmd by bob: Processing : ver (cmd md5: fdsf3334234324esfsd)
Aug 30 15:13:13 2023 MgmtServer xpand[7609]: bob localhost t -volatile:clish:bob:27624

I appreciate any thoughts!

Thanks

PhoneBoy · ‎2023-10-03

Recommend a TAC case to investigate this: https://help.checkpoint.com

Ian · ‎2023-12-13

Running a "watch api status" for a few seconds produces this exact same set of log messages.

Are you a member of CheckMates?

messages logs on our management server show actions from my account that I am not doing.