On Fri, 2007-04-20 at 14:04 -0700, Mike Wright wrote: > Manuel Arostegui Ramirez wrote: > > El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió: > > > >>Hi all, > >> > >>There is a mystery user on a remote system that I can't identify. I > >>want to be sure that it's not an uninvited guest :( If anybody is > >>willing to help I'd be most aprpreciative. > >> > >>Running fc6, but I don't thinks it's relevant, although it may be. > >> > >>The box is at a remote location and I access it via ssh. When I run > >>"top" it shows 2 users, but when I run "who" it shows only one, me, from > >>my remote location. > >> > >>At first I thought it might have been a left open login on one of the > >>mingetty's so I disabled them all in inittab and changed runlevels from > >>3 to 4 and saw that all the mingetty's were gone (I think that should > >>logout anybody on one of those), then returned to runlevel 3 and re-ran > >>"top". Still 2 users. > >> > >>I don't think it can be anybody left over from a previous runlevel 5. > >> > >>I ran "ps auxf" and went over it line by line and couldn't find any > >>other bash sessions than my current remote login on pts/0. > >> > >>Anybody know how to identify the second user shown by top? > >> > >>I'm very paranoid about hackers/owners/skiddies and this definitely has > >>my ears perked up. > >> > >>Thanks in advance for any tips or ideas, > >>Mike Wright :m) > > > > > > What lastlog says? > > What about cat /var/log/secure? > > > > Thanks for the tip, Manuel. I never knew about "lastlog" but it showed > that it was another connection from me that had somehow been broken, > probably by a network timeout, and exists on pty/1. Now that I know who > it is and am not worried about that anymore, how do I kill that dead > connection? It doesn't show up using "ps". As root, try "ps ax" or "lsof | grep pts/1". ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - VitalStream, Inc. http://www.vitalstream.com - - - - BASIC is the Computer Science version of `Scientific Creationism' - ----------------------------------------------------------------------
