unix question: unknown user logged in? hacked?
Manuel Arostegui Ramirez
manuel at todo-linux.com
Fri Apr 20 20:55:50 UTC 2007
El Viernes, 20 de Abril de 2007 22:42, Mike Wright escribió:
> Hi all,
>
> There is a mystery user on a remote system that I can't identify. I
> want to be sure that it's not an uninvited guest :( If anybody is
> willing to help I'd be most aprpreciative.
>
> Running fc6, but I don't thinks it's relevant, although it may be.
>
> The box is at a remote location and I access it via ssh. When I run
> "top" it shows 2 users, but when I run "who" it shows only one, me, from
> my remote location.
>
> At first I thought it might have been a left open login on one of the
> mingetty's so I disabled them all in inittab and changed runlevels from
> 3 to 4 and saw that all the mingetty's were gone (I think that should
> logout anybody on one of those), then returned to runlevel 3 and re-ran
> "top". Still 2 users.
>
> I don't think it can be anybody left over from a previous runlevel 5.
>
> I ran "ps auxf" and went over it line by line and couldn't find any
> other bash sessions than my current remote login on pts/0.
>
> Anybody know how to identify the second user shown by top?
>
> I'm very paranoid about hackers/owners/skiddies and this definitely has
> my ears perked up.
>
> Thanks in advance for any tips or ideas,
> Mike Wright :m)
What lastlog says?
What about cat /var/log/secure?
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
More information about the fedora-list
mailing list