LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-18-2007, 03:40 PM   #1
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Rep: Reputation: 15
Unhappy w shows 2 users while I'm alone on the system!


w command shows following, though I'm alone on the system:

Code:
root@cPanel [~]# w
 00:30:11 up 62 days, 11:04,  2 users,  load average: 2.65, 2.15, 1.77
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    host-xx-xx-xx- 00:23    0.00s  0.03s  0.01s w
root@cPanel [~]#
Then when I enter who command, the other defunct user shows up. yy.yy.yy.yy ip is our companys, however I killed this session two days ago.

Code:
root@cPanel [~]# who
root     pts/0        May 19 00:23 (host-xx-xx-xx-xx.adsl.xxxxx.net)
root     pts/2        May 17 23:32 (yy.yy.yy.yy)
How I can get rid of the defunct session? We were rootkited at that day. Maybe the attacker messed something in the system in such a way that there is something totally wrong down there and this defunct session is just a symptom?
 
Old 05-18-2007, 06:08 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 97
Hi.

Code:
ps -ef | grep 'pts/2'
should show anything attached to that terminal.

I'm concerned that you've been rootkit'ed, and the host hasn't been brought down for maintenance / forensics. The machine can't be trusted in its current state.

Dave
 
Old 05-19-2007, 03:39 AM   #3
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Original Poster
Rep: Reputation: 15
Thank you for wour answer, though

Code:
ps -ef | grep 'pts/2'
doesn't show anything. However I've entered the system simultaneously on all terminals and now it is gone. I don't know what it was. We can't bring the system down yet, 'cause this is heavy loaded production server, without backup (terrible). I'm new here at the company and it is difficult to understand what's going on. As I have found so far, system was rootkited nearly a month ago! They just didn't use a backdoor until day before day before yesterday.
 
Old 05-19-2007, 12:22 PM   #4
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
"heavy loaded production server"
"without backup"
"system was rootkited nearly a month ago"
Paraphrasing slightly: They used a backdoor a couple of days ago.

You know what? If your company's server crashes and burns I'd have no sympathy whatsoever. That fact that you can't take it down because it's a production server is just fantastic... that's like saying "But if I turn the sprinklers on, the people in the burning building won't be able to work!".

How much is it going to cost your company to:

a) lose use of that machine for a few hours while you put in a replacement?
b) lose EVERYTHING on that machine, never to be recovered, INCLUDING the time to rebuild an equivalent machine (probably without proper testing because of the timescales), recover from the dissemination of the data on that machine to the general populous, while at the same time having that machine (potentially) be used for ANYTHING... spam, viruses, hacking, proxying of illegal websites..., getting banned from the ISP, etc.etc.etc. Yeah, it's all theoretical. But so's the fact that leaving my front door open while you're not at home is likely to encourage burglars. You *can* do it and get away with it. But would you really risk it?

I bet a) is a LOT cheaper than b) for your company.

Someone WAS in your system. They had access enough and time enough unnoticed to (potentially) gain root access. Root can do ANYTHING, even hide it's own presence in process lists if it so feels like it... some rootkits do this perfectly, some a little more clumsily. Meanwhile you are STILL running this machine and running critical data across it on a daily basis because "it's a production server".

Get it sorted. Or, if you're not responsible for it, give the person who is a kick up the bum from me. Companies like you keep me in work.
 
Old 05-20-2007, 03:15 AM   #5
jaggy00
LQ Newbie
 
Registered: Jan 2007
Distribution: CentOS & Fedora Core
Posts: 25

Original Poster
Rep: Reputation: 15
Thank you for your objection.

Quote:
Get it sorted. Or, if you're not responsible for it, give the person who is a kick up the bum from me. Companies like you keep me in work.
Where do you work?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to sort regular users and system users from /etc/passwd joeyBig Red Hat 9 05-29-2008 12:59 AM
running top shows 2 users gibson79 Slackware 8 03-08-2007 09:19 AM
system monitor shows more CPUs sammy11 Fedora 6 11-16-2006 09:41 AM
uptime shows 3 users on system when there is only me. Is this normal? MichaelD Linux - Security 3 05-21-2005 11:05 PM
host1 to host2 connection only shows login users. btexpress Linux - Networking 0 06-01-2004 12:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration