This site is now 100% read-only, and retired.

XML logo

Invisible user?
Posted by busfault on Sun 4 Feb 2007 at 19:40
Tags: none.
I have used Linux for a while now, though I have yet to learn all of the intricacies of System Administrating. I occasionally run 'uptime' to see my loads, how long my system has been up, and users on. Now this has me puzzled because I was the only one logged onto my machine, yet it shows up as users 2 `uptime` reports:
Valhalla:/etc# uptime
 14:16:55 up 122 days, 21:55,  2 users,  load average: 1.00, 1.09, 1.22
The load averages are high since I am running dnetc on the system. `users` reports:
root
`who -q` gives:
root
#users=1
`who -a` gives:
                        Oct  4 17:16                 8 id=si    term=0 exit=0
           system boot  Oct  4 17:16
           run-level 2  Oct  4 17:16                   last=S
                        Oct  4 17:17               669 id=l2    term=0 exit=0
           pts/0        Feb  4 13:17             17924 id=ts/0  term=0 exit=0
LOGIN      tty1         Oct  4 17:17              1075 id=1
LOGIN      tty2         Oct  4 17:17              1076 id=2
root     - ttyS0        Feb  4 13:18   .         18504
           pts/1        Feb  4 09:12             11977 id=ts/1  term=0 exit=0
           pts/2        Jan 27 20:51             17867 id=ts/2  term=0 exit=0
           pts/2        Jan 27 19:56             17660 id=p2    term=0 exit=2
Also, I have my serial console to have a login display of
Connected to \n on \l at \bbaud
/==========================================\\
|Machine information:                      |
|OS:     \s \r                      |
|Kernel: \v   |
|Arch:   \m                              |
|\U logged in.                         |
\\==========================================/

\d \t (EST)
Where the \U is showing '1 user' (when there isn't any other login that I know of). Looking at netstat shows no remote machines connected. I'd prefer not to reboot my system, is there a way to figure this out? Should I be concerned that my machine is compromised? Could there be a process that is making it seem like a user is connected? If I was logged on and the connection was lost and programs were running could this also be the case?

 

Comments on this Entry

Re: Invisible user?
Posted by oxtan (82.93.xx.xx) on Sun 4 Feb 2007 at 21:09
[ View Weblogs ]
I just tested something. Workstation with no network access, just me logged on at the console.

$uptime
22:06:44 up 8 days, 9:05, 1 user, load average: 0.16, 0.25, 0.23

I then start screen and open two 'screens':

$uptime
22:07:46 up 8 days, 9:06, 2 users, load average: 0.21, 0.23, 0.22

it sees two users, although I am the only one here. Maybe you have logged in at 2 VT (virtual terminals)?

[ Parent ]

Re: Invisible user?
Posted by busfault (69.205.xx.xx) on Sun 4 Feb 2007 at 23:17
[ View Weblogs ]
Only one login connection. I am only connected via STTY0, which is the only direct connection that I have to the box, a "headless" system. I suppose that perhaps there is some connection that borked and is floating. I am thinking maybe that is why two pts/2 connections show up under who -a? I looked through my ps listing to see if any of the pts connections show up as a parent, which they don't. There aren't any other shells running either, besides the current login. If I am not even logged in, the STTY login shows '1 user' on the login screen.

[ Parent ]

Re: Invisible user?
Posted by busfault (69.205.xx.xx) on Sun 4 Feb 2007 at 23:30
[ View Weblogs ]
PS. here is the console output on my STTY for login
Connected to Valhalla on ttyS0 at 1 15200baud
/==========================================\
|Machine information:      &nb sp;          &n bsp;    |
|OS:     Linux X.X.XX  &n bsp;          & nbsp;        |
|Kernel: #XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   |
|Arch:   i686      & nbsp;                       ;  |
|1 user logged in.     &n bsp;          & nbsp;        |
\==========================================/

Sun Feb 4  2007 18:23:16 (EST)

Valhalla login:
* note I removed the Kernel Version information as I am sometimes paranoid about those things, or just embarassed that I haven't built a new kernel in a while :-)

[ Parent ]