strange su entry in auth.log

vai0l0 · n00b Joined: 14 Nov 2003 Posts: 21

I've setup a new box all is update and I'm using virtualmin to create virtual mail e webhosting

I've seen a lot of
Jul 26 00:00:01 brand su[3392]: + ??? root-vibispa
Jul 26 00:00:02 brand su[3394]: + ??? root-vibispa
Jul 26 00:06:01 brand su[3400]: + ??? root-nesa
Jul 26 00:07:01 brand su[3406]: + ??? root-cnalombardia
Jul 26 00:07:02 brand su[3408]: + ??? root-tifotop
Jul 26 00:07:02 brand su[3410]: + ??? root-cnalombardia
Jul 26 00:07:02 brand su[3412]: + ??? root-tifotop
Jul 26 00:10:01 brand su[3437]: + ??? root-agenziabrand
Jul 26 00:10:01 brand su[3439]: + ??? root-agenziabrand
Jul 26 00:11:01 brand su[3443]: + ??? root-ctecnica
Jul 26 00:15:02 brand su[3466]: + ??? root-biostate
Jul 26 00:15:02 brand su[3468]: + ??? root-byab
Jul 26 00:15:02 brand su[3470]: + ??? root-byab
Jul 26 00:15:02 brand su[3472]: + ??? root-biostate
Jul 26 00:17:01 brand su[3503]: + ??? root-kaosteam
Jul 26 00:17:01 brand su[3505]: + ??? root-kaosteam
Jul 26 00:18:02 brand su[3509]: + ??? root-blueprintspa
Jul 26 00:18:02 brand su[3511]: + ??? root-blueprintspa
in auth.log

the name after root- are current virtual domain the users root-XXXX does not exist
Any hint?
I've checked in the log for successful login on sshd and I see established connection only for myself

I've now installed logsentry and portsentry and anthing has been showed up