Here are log entries I found in auth.log. What does + ??? mean? And was there an unauthorized access?
Feb 11 07:48:32 tts-server su[31265]: Successful su for www-data by root
Feb 11 07:48:32 tts-server su[31265]: + ??? root:www-data
Feb 11 07:48:32 tts-server su[31265]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 11 07:48:32 tts-server su[31265]: pam_unix(su:session): session closed for user www-data
Feb 11 07:48:32 tts-server su[31275]: Successful su for www-data by root
Feb 11 07:48:32 tts-server su[31275]: + ??? root:www-data
Feb 11 07:48:32 tts-server su[31275]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 11 07:48:32 tts-server su[31275]: pam_unix(su:session): session closed for user www-data
Feb 12 09:46:27 tts-server su[11208]: Successful su for www-data by root
Feb 12 09:46:27 tts-server su[11208]: + ??? root:www-data
Feb 12 09:46:27 tts-server su[11208]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 12 09:46:27 tts-server su[11208]: pam_unix(su:session): session closed for user www-data
Feb 12 09:46:27 tts-server su[11222]: Successful su for www-data by root
Feb 12 09:46:27 tts-server su[11222]: + ??? root:www-data
Feb 12 09:46:27 tts-server su[11222]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 12 09:46:27 tts-server su[11222]: pam_unix(su:session): session closed for user www-data
Feb 13 12:25:41 tts-server su[22032]: Successful su for www-data by root
Feb 13 12:25:41 tts-server su[22032]: + ??? root:www-data
Feb 13 12:25:41 tts-server su[22032]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 13 12:25:41 tts-server su[22032]: pam_unix(su:session): session closed for user www-data
Feb 13 12:25:41 tts-server su[22043]: Successful su for www-data by root
Feb 13 12:25:41 tts-server su[22043]: + ??? root:www-data
Feb 13 12:25:41 tts-server su[22043]: pam_unix(su:session): session opened for user www-data by (uid=0)
Feb 13 12:25:41 tts-server su[22043]: pam_unix(su:session): session closed for user www-data
Those are probably from a cron job. From
Securing Debian Manual. Chapter 11 - Frequently asked Questions (FAQ)