Re: unix question: unknown user logged in? hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Manuel Arostegui Ramirez wrote:
El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió:

Hi all,

There is a mystery user on a remote system that I can't identify.  I
want to be sure that it's not an uninvited guest :(  If anybody is
willing to help I'd be most aprpreciative.

Running fc6, but I don't thinks it's relevant, although it may be.

The box is at a remote location and I access it via ssh.  When I run
"top" it shows 2 users, but when I run "who" it shows only one, me, from
my remote location.

At first I thought it might have been a left open login on one of the
mingetty's so I disabled them all in inittab and changed runlevels from
3 to 4 and saw that all the mingetty's were gone (I think that should
logout anybody on one of those), then returned to runlevel 3 and re-ran
"top".  Still 2 users.

I don't think it can be anybody left over from a previous runlevel 5.

I ran "ps auxf" and went over it line by line and couldn't find any
other bash sessions than my current remote login on pts/0.

Anybody know how to identify the second user shown by top?

I'm very paranoid about hackers/owners/skiddies and this definitely has
my ears perked up.

Thanks in advance for any tips or ideas,
Mike Wright :m)


What lastlog says?
What about cat /var/log/secure?


Thanks for the tip, Manuel. I never knew about "lastlog" but it showed that it was another connection from me that had somehow been broken, probably by a network timeout, and exists on pty/1. Now that I know who it is and am not worried about that anymore, how do I kill that dead connection? It doesn't show up using "ps".

Any more magic?

Thanks,
:m)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux