Find the answer to your Linux question:
Results 1 to 3 of 3
I'm running fully update Ubuntu 8.04 (as of today). I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84

    Hacker on my gateway?


    I'm running fully update Ubuntu 8.04 (as of today).

    I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.

    I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:

    Code:
    root      6069     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
    shwick    6071  6069  0 Dec09 ?        00:00:01 sshd: shwick@pts/0
    root     13731     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
    shwick   13734 13731  0 Dec09 ?        00:00:00 sshd: shwick@pts/2
    root     14653     1  0 Dec09 ?        00:00:00 /usr/sbin/sshd
    Looks like just my two shwick clients.

    I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.

    I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:

    Code:
       Checking for hidden files and directories       [ Warning ]
    [19:57:09] Warning: Hidden directory found: /dev/.static
    [19:57:09] Warning: Hidden directory found: /dev/.udev
    [19:57:09] Warning: Hidden directory found: /dev/.initramfs
    Is there a way to check exactly how the root user is logged in right now, and what it is doing?

    I recently installed x11vnc and made a failed startup script for it, could that be doing something?

    Thanks.

  2. #2
    Linux User dxqcanada's Avatar
    Join Date
    Sep 2006
    Location
    Canada
    Posts
    259
    What does "who -a" show you ?



    Men occasionally stumble over the truth,
    but most of them pick themselves up
    and hurry off as if nothing had happened.

    Winston Churchill


    ... then the Unix-Gods created "man" ...

  3. #3
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84
    it shows me:

    Code:
               system boot  2008-12-09 00:36
               run-level 2  2008-12-09 00:36                   last=
    LOGIN      tty4         2008-12-09 00:36              4651 id=4
    LOGIN      tty5         2008-12-09 00:36              4652 id=5
    LOGIN      tty2         2008-12-09 00:36              4656 id=2
    LOGIN      tty3         2008-12-09 00:36              4657 id=3
    LOGIN      tty6         2008-12-09 00:36              4658 id=6
    LOGIN      tty1         2008-12-09 00:36              6055 id=1
    shwick   + pts/0        2008-12-10 19:49   .         23450 (10.11.12.254)
    root     + pts/1        2008-12-09 00:38  old         6418 (:20.0)
    shwick   + pts/2        2008-12-10 20:51 00:19       17284 (10.11.12.254)
               pts/3        2008-12-10 21:01             17550 id=ts/3  term=0 exit=0
    shwick   + pts/3        2008-12-10 21:03 00:20       17947 (:21.0)
    I started another x11vnc session and I see another shwick user. I think my startup script started a sudo x11, which is why I saw the extra root user.

    Thanks very useful command!

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •