Find the answer to your Linux question:
Results 1 to 3 of 3
I'm running fully update Ubuntu 8.04 (as of today). I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 12-11-2008 #1
    Shwick
    Shwick is offline
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84

    Hacker on my gateway?

    I'm running fully update Ubuntu 8.04 (as of today).

    I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.

    I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:

    Code:
    root      6069     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick    6071  6069  0 Dec09 ?        00:00:01 sshd: shwick@pts/0
root     13731     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick   13734 13731  0 Dec09 ?        00:00:00 sshd: shwick@pts/2
root     14653     1  0 Dec09 ?        00:00:00 /usr/sbin/sshd
    Looks like just my two shwick clients.

    I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.

    I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:

    Code:
       Checking for hidden files and directories       [ Warning ]
[19:57:09] Warning: Hidden directory found: /dev/.static
[19:57:09] Warning: Hidden directory found: /dev/.udev
[19:57:09] Warning: Hidden directory found: /dev/.initramfs
    Is there a way to check exactly how the root user is logged in right now, and what it is doing?

    I recently installed x11vnc and made a failed startup script for it, could that be doing something?

    Thanks.
    Reply With Quote Reply With Quote
  2. 12-11-2008 #2
    dxqcanada
    dxqcanada is offline
    Linux User dxqcanada's Avatar
    Join Date
    Sep 2006
    Location
    Canada
    Posts
    259
    What does "who -a" show you ?



    Men occasionally stumble over the truth,
    but most of them pick themselves up
    and hurry off as if nothing had happened.

    Winston Churchill


    ... then the Unix-Gods created "man" ...
    Reply With Quote Reply With Quote
  3. 12-11-2008 #3
    Shwick
    Shwick is offline
    Just Joined!
    Join Date
    Jun 2008
    Posts
    84
    it shows me:

    Code:
               system boot  2008-12-09 00:36
           run-level 2  2008-12-09 00:36                   last=
LOGIN      tty4         2008-12-09 00:36              4651 id=4
LOGIN      tty5         2008-12-09 00:36              4652 id=5
LOGIN      tty2         2008-12-09 00:36              4656 id=2
LOGIN      tty3         2008-12-09 00:36              4657 id=3
LOGIN      tty6         2008-12-09 00:36              4658 id=6
LOGIN      tty1         2008-12-09 00:36              6055 id=1
shwick   + pts/0        2008-12-10 19:49   .         23450 (10.11.12.254)
root     + pts/1        2008-12-09 00:38  old         6418 (:20.0)
shwick   + pts/2        2008-12-10 20:51 00:19       17284 (10.11.12.254)
           pts/3        2008-12-10 21:01             17550 id=ts/3  term=0 exit=0
shwick   + pts/3        2008-12-10 21:03 00:20       17947 (:21.0)
    I started another x11vnc session and I see another shwick user. I think my startup script started a sudo x11, which is why I saw the extra root user.

    Thanks very useful command!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules