unix question: unknown user logged in? hacked?
Mike Wright
xktnniuymlla at mailinator.com
Fri Apr 20 21:04:17 UTC 2007
Manuel Arostegui Ramirez wrote:
> El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió:
>
>>Hi all,
>>
>>There is a mystery user on a remote system that I can't identify. I
>>want to be sure that it's not an uninvited guest :( If anybody is
>>willing to help I'd be most aprpreciative.
>>
>>Running fc6, but I don't thinks it's relevant, although it may be.
>>
>>The box is at a remote location and I access it via ssh. When I run
>>"top" it shows 2 users, but when I run "who" it shows only one, me, from
>>my remote location.
>>
>>At first I thought it might have been a left open login on one of the
>>mingetty's so I disabled them all in inittab and changed runlevels from
>>3 to 4 and saw that all the mingetty's were gone (I think that should
>>logout anybody on one of those), then returned to runlevel 3 and re-ran
>>"top". Still 2 users.
>>
>>I don't think it can be anybody left over from a previous runlevel 5.
>>
>>I ran "ps auxf" and went over it line by line and couldn't find any
>>other bash sessions than my current remote login on pts/0.
>>
>>Anybody know how to identify the second user shown by top?
>>
>>I'm very paranoid about hackers/owners/skiddies and this definitely has
>>my ears perked up.
>>
>>Thanks in advance for any tips or ideas,
>>Mike Wright :m)
>
>
> What lastlog says?
> What about cat /var/log/secure?
>
Thanks for the tip, Manuel. I never knew about "lastlog" but it showed
that it was another connection from me that had somehow been broken,
probably by a network timeout, and exists on pty/1. Now that I know who
it is and am not worried about that anymore, how do I kill that dead
connection? It doesn't show up using "ps".
Any more magic?
Thanks,
:m)
More information about the users
mailing list