multiple root to user sessions opened showing in logwatch? process or hacked?


my logwatch is showing lots of sessions being opened by root for all the users on the server. an example of my logwatch is:

——————— pam_unix Begin ————————

Sessions Opened:
root -> userA: 255 Time(s)
root -> userB: 136 Time(s)
root -> userC: 75 Time(s)
root -> userD: 75 Time(s)
root -> userE: 30 Time(s)

———————- pam_unix End ————————-

in my security log it’s showing lts of these lines:

Feb 20 00:12:41 srv su: pam_unix(su-l:session): session opened for user admin by (uid=0)
Feb 20 00:12:41 srv su: pam_unix(su-l:session): session closed for user admin
this only started showing up in my logwatch last tuesday 14 february. i’ve not seen it before but coincidently this would have been around the time i updated directadmin with custombuild i think.

is this just a process on the server running under root doing this that is suddenly being logged in logwatch or is this potentially something suspicious and someone has root access?

any advice greatfully appreciated!