Re: unix question: unknown user logged in? hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El Viernes, 20 de Abril de 2007 23:04, Mike Wright escribió:
> Manuel Arostegui Ramirez wrote:
> > El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió:
> >>Hi all,
> >>
> >>There is a mystery user on a remote system that I can't identify.  I
> >>want to be sure that it's not an uninvited guest :(  If anybody is
> >>willing to help I'd be most aprpreciative.
> >>
> >>Running fc6, but I don't thinks it's relevant, although it may be.
> >>
> >>The box is at a remote location and I access it via ssh.  When I run
> >>"top" it shows 2 users, but when I run "who" it shows only one, me, from
> >>my remote location.
> >>
> >>At first I thought it might have been a left open login on one of the
> >>mingetty's so I disabled them all in inittab and changed runlevels from
> >>3 to 4 and saw that all the mingetty's were gone (I think that should
> >>logout anybody on one of those), then returned to runlevel 3 and re-ran
> >>"top".  Still 2 users.
> >>
> >>I don't think it can be anybody left over from a previous runlevel 5.
> >>
> >>I ran "ps auxf" and went over it line by line and couldn't find any
> >>other bash sessions than my current remote login on pts/0.
> >>
> >>Anybody know how to identify the second user shown by top?
> >>
> >>I'm very paranoid about hackers/owners/skiddies and this definitely has
> >>my ears perked up.
> >>
> >>Thanks in advance for any tips or ideas,
> >>Mike Wright :m)
> >
> > What lastlog says?
> > What about cat /var/log/secure?
>
> Thanks for the tip, Manuel.  I never knew about "lastlog" but it showed
> that it was another connection from me that had somehow been broken,
> probably by a network timeout, and exists on pty/1.  Now that I know who
> it is and am not worried about that anymore, how do I kill that dead
> connection?  It doesn't show up using "ps".
>
> Any more magic?
>
> Thanks,
>
> :m)

What about using lsof?
lsof /dev/pts/*

You should find out some more information about that dead process.
Bear in mind that if that process is defunct you won't be able to kill it, 
just wait for any sort of connection timeout.

Hope that helps.

-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux