Forums

kuenn leow
kuenn leow
Offline
Resolved
0 votes
did not make any password change but keep getting this event log.

regards,
kuenn


Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:17:52
Administrator root: Reset password on account "xxxxxx" 2016-06-25 00:14:21
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Reset password on account "xxxxxx" 2016-06-24 23:36:33
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:39
Administrator root: Updated settings on account "xxxxxx" 2016-06-24 19:24:30
Administrator root: Reset password on account "xxxxxx" 2016-06-24 19:24:30
In Users
Sunday, June 26 2016, 08:57 AM
Share this post:
Responses (2)
  • Accepted Answer

    Monday, June 27 2016, 01:51 AM - #Permalink
    Resolved
    0 votes
    Since there have been no replies will take a stab at this which might give you something to research...

    1) Password Policies app installed with a very short maximum password age

    2) System compromised

    3) You don't say which ClearOS version you are running. On an earlier version a password would be revoked if there were too many failed logon attempts. This situation was often the result of intruders trying to login using a dictionary attack. Not sure if this is still the case...

    4) Check some of the other logs such as /var/log/audit/audit.log etc for activity at the times the passwords were reset.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 27 2016, 01:55 PM - #Permalink
    Resolved
    0 votes
    That's an interesting one.

    I added that audit trail to the event logging system (which is where you're seeing it) about a month ago. The code was added to the users controller (not the API), and I doubt anything uses the controller except webconfig. In other words, it's not password policy or some other code doing it...it's actually the root user via Webconfig. Alas, I have bee known to be a) wrong and b) introduce a few bugs in my time, so nothing concrete yet.

    You can track down where the Webconfig request comes from...drop to command line and run:

    grep "POST /app/users/edit/" /var/log/webconfig/access_log*

    You will see which IP made the change. It will be interesting to know if it's a LAN IP or coming from outside (provided you have port 81 open).

    B.
    The reply is currently minimized Show
Your Reply