Re: unix question: unknown user logged in? hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-04-20 at 14:04 -0700, Mike Wright wrote:
> Manuel Arostegui Ramirez wrote:
> > El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió:
> > 
> >>Hi all,
> >>
> >>There is a mystery user on a remote system that I can't identify.  I
> >>want to be sure that it's not an uninvited guest :(  If anybody is
> >>willing to help I'd be most aprpreciative.
> >>
> >>Running fc6, but I don't thinks it's relevant, although it may be.
> >>
> >>The box is at a remote location and I access it via ssh.  When I run
> >>"top" it shows 2 users, but when I run "who" it shows only one, me, from
> >>my remote location.
> >>
> >>At first I thought it might have been a left open login on one of the
> >>mingetty's so I disabled them all in inittab and changed runlevels from
> >>3 to 4 and saw that all the mingetty's were gone (I think that should
> >>logout anybody on one of those), then returned to runlevel 3 and re-ran
> >>"top".  Still 2 users.
> >>
> >>I don't think it can be anybody left over from a previous runlevel 5.
> >>
> >>I ran "ps auxf" and went over it line by line and couldn't find any
> >>other bash sessions than my current remote login on pts/0.
> >>
> >>Anybody know how to identify the second user shown by top?
> >>
> >>I'm very paranoid about hackers/owners/skiddies and this definitely has
> >>my ears perked up.
> >>
> >>Thanks in advance for any tips or ideas,
> >>Mike Wright :m)
> > 
> > 
> > What lastlog says?
> > What about cat /var/log/secure?
> > 
> 
> Thanks for the tip, Manuel.  I never knew about "lastlog" but it showed 
> that it was another connection from me that had somehow been broken, 
> probably by a network timeout, and exists on pty/1.  Now that I know who 
> it is and am not worried about that anymore, how do I kill that dead 
> connection?  It doesn't show up using "ps".

As root, try "ps ax" or "lsof | grep pts/1".

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-  BASIC is the Computer Science version of `Scientific Creationism' -
----------------------------------------------------------------------


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux