did not make any password change but keep getting this event log.
regards,
kuenn
Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:17:52
Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:14:21
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Reset password on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:30
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:30
regards,
kuenn
Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:17:52
Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:14:21
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Reset password on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:30
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:30
In Users
Share this post:
Responses (2)
-
Accepted Answer
Since there have been no replies will take a stab at this which might give you something to research...
1) Password Policies app installed with a very short maximum password age
2) System compromised
3) You don't say which ClearOS version you are running. On an earlier version a password would be revoked if there were too many failed logon attempts. This situation was often the result of intruders trying to login using a dictionary attack. Not sure if this is still the case...
4) Check some of the other logs such as /var/log/audit/audit.log etc for activity at the times the passwords were reset. -
Accepted Answer
That's an interesting one.
I added that audit trail to the event logging system (which is where you're seeing it) about a month ago. The code was added to the users controller (not the API), and I doubt anything uses the controller except webconfig. In other words, it's not password policy or some other code doing it...it's actually the root user via Webconfig. Alas, I have bee known to be a) wrong and b) introduce a few bugs in my time, so nothing concrete yet.
You can track down where the Webconfig request comes from...drop to command line and run:
grep "POST /app/users/edit/" /var/log/webconfig/access_log*
You will see which IP made the change. It will be interesting to know if it's a LAN IP or coming from outside (provided you have port 81 open).
B.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »