Help - multiple users on my Ubuntu 9.10, have i been hacked??

Diss · 3 Nov 2009 at 08:02

Hi

since upgrading from 9.04 to 9.10 i get the following message when i try to shut down the computer:

"System Policy prevents stopping the system when other users are logged in - An application is attempting to perform an action that requires privileges-authorisation required"

If i click on the details tab of the message this is displayed:

"org.freedesktop.consolekit.systems.stop-multiple-users"

if i cancel the message it logs me out and at the login screen there are 2 users listed, me and "other". If i try other it won't work as my password doesn't apply to this ''other' user.

Any ideas what is causing this and how to fix? Only i am worried that it may be a remote hack

many thanks

diss

Diss · 4 Nov 2009 at 07:56

thanks all

situation is as follows

other than root and myself users shown for each of the commands:

TOP (monitoring activity)
mysql
mythtv
haldaemo - occasionally
messageb - occasionally

TOP -w gave these additional users from the time i ran it
syslog
108
avahi
avahi
daemon
111
111
ntp
kernoops

LAST
this only showed me and 'reboot' on the list

/var/log/secure
i don't have a folder for this

how does this look?
maybe mysql or mythtv bust in the upgrade and casue the problem?

regarding the possibility of a nobody account - how do i tell that this is the problem?

many thanks

diss

Diss · 5 Nov 2009 at 05:38

hi

i get this, however i have no idea what shold or shouldn't be there

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13

roxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false
saned:x:106:113::/home/saned:/bin/false
pulse:x:107:114

ulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:117::/var/run/dbus:/bin/false
polkituser:x:109:118

olicyKit,,,:/var/run/PolicyKit:/bin/false
avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false
diss:x:1000:1000:diss,,,:/home/diss:/bin/bash
mysql:x:112:123:MySQL Server,,,:/var/lib/mysql:/bin/false
mythtv:x:113:124::/home/mythtv:/bin/sh
ntp:x:114:125::/home/ntp:/bin/false
sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin
speech-dispatcher:x:116:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
couchdb:x:117:116:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
kernoops:x:118:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false

how does this look?

i do have a var/log directory - but what am i looking for in it?

many thanks

diss

Diss · 6 Nov 2009 at 07:53

thanks for that

got a no file message for "more /var/log/secure"

the other suggestion worked but like you said there were pages of stuff

thanks all for taking the time to help with this

will probably leave it for now (maybe try uninstalling a few things) but will do a full reinstall at some point just to be sure

cheers

diss