unix question: unknown user logged in? hacked?
Aaron Konstam
akonstam at sbcglobal.net
Sat Apr 21 11:09:50 UTC 2007
On Fri, 2007-04-20 at 13:42 -0700, Mike Wright wrote:
> Hi all,
>
> There is a mystery user on a remote system that I can't identify. I
> want to be sure that it's not an uninvited guest :( If anybody is
> willing to help I'd be most appreciative.
>
> Running fc6, but I don't thinks it's relevant, although it may be.
>
> The box is at a remote location and I access it via ssh. When I run
> "top" it shows 2 users, but when I run "who" it shows only one, me, from
> my remote location.
>
> At first I thought it might have been a left open login on one of the
> mingetty's so I disabled them all in inittab and changed runlevels from
> 3 to 4 and saw that all the mingetty's were gone (I think that should
> logout anybody on one of those), then returned to runlevel 3 and re-ran
> "top". Still 2 users.
>
> I don't think it can be anybody left over from a previous runlevel 5.
>
> I ran "ps auxf" and went over it line by line and couldn't find any
> other bash sessions than my current remote login on pts/0.
>
> Anybody know how to identify the second user shown by top?
>
> I'm very paranoid about hackers/owners/skiddies and this definitely has
> my ears perked up.
>
> Thanks in advance for any tips or ideas,
> Mike Wright :m)
>
My top says there are only one user. But does it identify a name for
this second user in top. That is do you find and programs listed in top
running by any other user except yourself and root?
More information about the fedora-list
mailing list