Hacked ? Multiple who entries......

budword · 09-06-2007, 06:12 PM

Hi, I don't know if this means anything or not, and goggling didn't help. Yesterday, while in kdm, waiting to choose a Desktop to login to, a box popped up saying something about my usual user already logged in (tty:3 or something like it.), which startled me a bit. When I had time (next morning) I did a quick who, and got multiple simultaneous log ins for the same user. Is this usual ? Here is the output of that command...

me :0 2007-09-06 09:52
me pts/0 2007-09-06 17:33 (:0.0)
me pts/1 2007-09-06 17:36 (:0.0)

This box was running overnight before I did the who command, so I didn't worry about the timestamps, but I haven't logged into any terminals.

So am I worried for nothing ? I finally have this box set up the way I want it, and I don't want to nuke it from orbit, I don't even want to upgrade when the next version of Kubuntu comes out. I'm running Kubuntu feisty, if it matters. I use kde, gnome, and fluxbox, though I doubt that matters much. One other detail, that I just thought was a KDE bug, if kde has been running for any length of time, I sometimes have trouble starting some new processes. Starting gaim or rox for instance. They just stop working, and I don't know why. I tried starting from a terminal hoping for an error message, but never get one. Same thing has never happened in gnome or fluxbox, so I just thought it was a kde bug or config problem, figured I screwed something up on my own.

I haven't found any funny processes running either, or weird bandwith issues.

Anyway, I'm hoping someone who knows much more than me will just pop on here for a minute and tell me I have nothing to worry about.

Thanks much...

David

Simon Bridge · 09-06-2007, 06:22 PM

That's normal... it is saying that you have an x terminal (:0) open and two command-line terminals (pts/0 and pts/1) open. Each of these is a login. Enjoy.

unixfool · 09-06-2007, 06:22 PM

'w' may tell you a bit more. For example:

Code:

bash-3.1$ w 
19:20:17 up 14 days, 19:21,  6 users,  load average: 0.08, 0.29, 0.19
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
ron      tty1     -                22Aug07 14days 25.34s  0.00s /bin/sh /usr/bin/startx
ron      pts/1    :0               23Aug07 14days  0.00s 44.20s kded [kdeinit] --new-startup                   
ron      pts/2    :0               Fri23    3days  0.26s  0.25s ssh ron@xx.xxx.xxx.xx -p 5001
ron      pts/4    :0               Sun23    0.00s  0.01s  0.00s w
ron      pts/0    :0               23Aug07 14days  8:21   0.00s bash

Also, try 'lsof'.

budword · 09-06-2007, 06:38 PM

Ahhhh I see.

I feel very silly. Thanks much for putting my mind at ease. I've installed vmware and most of the vnc's and been messing around with some fun encryption stuff, and I was worried somewhere along the way I had exposed box in a stupid way. I just had a few konsoles open.

Thanks guys...

David

sundialsvcs · 09-06-2007, 06:49 PM

Yeah, this is based on the so-called utmp information which is not always entirely accurate anyway. (man utmp is rather interesting.)