Member Avatar for shwick

I'm running fully update Ubuntu 8.04 (as of today).

I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.

I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:

root      6069     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick    6071  6069  0 Dec09 ?        00:00:01 sshd: shwick@pts/0
root     13731     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick   13734 13731  0 Dec09 ?        00:00:00 sshd: shwick@pts/2
root     14653     1  0 Dec09 ?        00:00:00 /usr/sbin/sshd

Looks like just my two shwick clients.

I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.

I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:

Checking for hidden files and directories       [ Warning ]
[19:57:09] Warning: Hidden directory found: /dev/.static
[19:57:09] Warning: Hidden directory found: /dev/.udev
[19:57:09] Warning: Hidden directory found: /dev/.initramfs

Is there a way to check exactly how the root user is logged in right now, and what it is doing?

I recently installed x11vnc and made a failed startup script for it, could that be doing something?

Thanks.

  • 3 Contributors
  • 3 Replies
  • 148 Views
  • 3 Weeks Discussion Span
  • Latest Post Latest Post by TheOgre

Recommended Answers

All 3 Replies

Member Avatar for Stylish

From my debian VM:

root      2114     1  0 Nov28 ?        00:00:00 /usr/sbin/sshd
root     32519  2114  0 08:52 ?        00:00:00 sshd: xxxx [priv]
xxxx     32521 32519  0 08:52 ?        00:00:00 sshd: xxxx@pts/0
Member Avatar for TheOgre

It means the process itself is running as root, which is required for sshd to function properly.

Member Avatar for TheOgre

root 14653 1 0 Dec09 ? 00:00:00 /usr/sbin/sshd That's the sshd process itself, running as root, not root being logged in to an SSH session (notice it's sshd, not ssh@)

man sshd

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.