auth.log concern

[pavNell]

Can someone help me and explain these new lines in my auth.log?

Jul 22 12:43:39 myhostname groupadd[3478]: new group: name=crontab, gid=109
Jul 27 27 09:39:01 myhostname cron(pam_unix) [1336]: session opened for user root by (uid=0)
Jul 27 27 09:39:01 myhostname cron(pam_unix) [1336]: session closed for user root
Jul 27 27 10:09:01 myhostname cron(pam_unix) [1441]: session opened for user root by (uid=0)
Jul 27 27 10:09:01 myhostname cron(pam_unix) [1441]: session closed for user root

theres a lot of these and they happen at predictable time intervals. I've never set up a cron job so why the heck is cron running?
Also did a crontab -e for root but there's nothing in there.

Services running:
httpd listening
mysqld listening
sshd listening

and that's it. All my passwords are really long too.
I've also been getting a lot of ssh brute force attacks but I don't think they're related are they?

 

[pavNell]

A bit of info and perhaps an answer. Inside /etc/cron.d there is a file called php4 and it says that it purges session files older than X, where X is defined in seconds as the largest value of session.gc_maxlifetime from all my php.ini files, or 24 minutes is not defined.

the cron line looks like
09,39 * * * * root [ -d /car/lib/php4 ] && find /var/lib/php4 -type f -cmin +$(/usr/lib/php4/maxlifetime) -print0 | xargs -r -0 rm

I guess this is normal. If it is, don't bother replying. I'm just in need of some education.