Im running a server on Ubuntu 8.04 and I have this weird stuff going on in it... if i check the system with "w" or "uptime" it shows me more users than they are actually logged in.

If i check with "who" everything seems fine, just users who are logged in are shown, but if i use "pinky" i get this:

root Admin *tty3 96d 2008-08-19 20:46
root Admin *tty1 42d 2008-10-09 20:02

root is not logged in at all, actually wasnt logged in for like 42/96 days, but uptime or w still seems them somehow, just "who" doesnt and pinky does show them.


How can I "kill" or remove this? Does anyone know or does anyone know why this happens, coz on my CentOS boxes this never happened and never happens, and dont know how to deal with it.

Thank you!

Hi -

With the appropriate privileges, you can simply "kill" any of these processes.

But it sounds like what you're really looking for is a way to automatically log off a user thats been idle too long.

There are several alternatives, including simply setting the environment variable $TMOUT in the global configuration:

http://www.walkernews.net/2007/05/15...user-in-linux/

No man, you didnt get the point, this users are not logged in anymore, they werent logged in for 90 days or 40 days already. Its just somehow dead or detached, I dont even know how to explain, coz it never happened to me before.

Login timeout is something else, it has to do with user which are logged in the system and if there is no activity they will be automatically logged out.

I've tried to kill -HUP getty, but didnt work

I usually remove dead users by calling the county coroner; if they've been dead several days I call the police. I've never had to remove one myself yet.

Ohh yeah that helps a lot... thank god I got that answer.

It sounds like you have a problem with the utmp file.

Unfortunately I don't know of any way of fixing this except by writing specialized code.

man utmp
man logout
man getutent

One other way (which is not necessarily good on a production system) is to kick everyone off then wipe the utmp file.

It would be good figure out know why the utmp file was not correctly updated. Have you run rootkit detectors to try to see if this artefact might be due to tampering by a r00tkit?

Hi, pinneped -

That's a good point, but I wouldn't even start worrying about utmp until *after* he's rebooted.

And, of course, the time to start worrying about security is *before* you're compromised...

Hey guys, the system is perfectly secure, rkhunter and chkrootkit are running every night and send the output in mail.

The problems is not rootkit's, its something else.. but i dont know what.

Here is the complete source for pinky:

http://www.koders.com/c/fidC7A3BE128...F3F.aspx?s=md5

As pinniped already told you, all it does is read "utmp".

I'm curious if you still have the problem after rebooting.

Just because there are a couple of odd entries in "utmp", it doesn't mean you've been compromised.

And just because "rkhunter" and "chkrootkit" run every night and haven't reported anything, that doesn't mean you *haven't* been compromised.

IMHO .. PSM

I have moved utmp into a backup and created a new. Seems that it works now, also I do not believe and think I wasnt compromised, im pettry sure actually, and this always happen on Ubuntu, never on CentOS.

Even if its a fresh install of the system, and left for 2-3 days, this will happen again, but dont understand why exactly.

Same shit happen on my laptop using Ubuntu Desktop 8.04, so the system is not compromised, its just defected by default

I think I have to submit this as a bug to ubuntu.