Unexpected “Change of logged-in user: Add:1” alert from aaPanel – no SSH or panel logins
Today I received a security alarm email from aaPanel with the following message:
aaPanel safety alarm
Server: aaPanel Linux panel
IPAddress: 127.0.0.1 (Internet) 192.168.1.2 (Internal)
SendingTime: 2025-10-12 09:19:03
Change of logged-in user: Total:1, Add:1, Delete:0
Here’s what I’ve already confirmed:
• I have disabled all SSH logins (no password or key logins are allowed).
• There are no other aaPanel web users or login records — only my own admin account exists.
• The server does have a local private IP address (192.168.1.2), which I know is just the internal interface.
My question is:
Does this alert mean that a new system-level Linux user account was created (e.g. by a service or software), or that a new aaPanel panel user was added internally?
If it’s a system-level user, how can I check which process created it and whether it’s safe?
Any advice or explanation would be appreciated.
Thank you!
