Help - multiple users on my Ubuntu 9.10, have i been hacked??

Diss · 3 Nov 2009 at 08:02

Hi

since upgrading from 9.04 to 9.10 i get the following message when i try to shut down the computer:

"System Policy prevents stopping the system when other users are logged in - An application is attempting to perform an action that requires privileges-authorisation required"

If i click on the details tab of the message this is displayed:

"org.freedesktop.consolekit.systems.stop-multiple-users"

if i cancel the message it logs me out and at the login screen there are 2 users listed, me and "other". If i try other it won't work as my password doesn't apply to this ''other' user.

Any ideas what is causing this and how to fix? Only i am worried that it may be a remote hack

many thanks

diss

hooFlungDung · 3 Nov 2009 at 08:15

Try accessing the other account without entering a password.

Could be the nobody account (which has no shell, no files, and no privileges), in which case, you've nothing to worry about if it has been compromised. Google it and find out how to switch it off.

I don't know Ubuntu - I use something else - but this is a known issue in gnome as well. Trying to shut-down spits the user back out at the GDM login screen, which is typical behaviour for attempting a shut-down when multiple users are logged in. If I close all terminals and programs, the system shuts down as normal. It must see each TTY as an instance of a new user or something.

Open a terminal and type 'top' - this will give you a real-time list of PID's and users, system load, uptime etc. From this, you should see only yours and the root account.

Typing 'ps aux' in a terminal will also give you a list of users, programs, and their corresponding PID's. You can have a look and see if anything is out of the ordinary.

EDIT: You can also use the 'w' command to obtain a list of users who are logged in to the machine.

rsatd · 3 Nov 2009 at 10:12

You can type 'last' and see who was last logged in, when and from where

ThorpedoUK · 4 Nov 2009 at 00:42

last is a good command, also check /var/log/secure to see ssh connections to your machine - "who -a" will show users and ip addresses, along with "netstat -an |grep .22" or whatever port you've got open (telnet??? hopefully not). /var/log/xferlog also contains any ftp sessions.

if you dont want anybody to login but yourself, just do:

touch /etc/nologin

only you can login on the "console" following this (as root, non-root logins will be denied access).

Also lookup tcpwrappers. :-)

Diss · 4 Nov 2009 at 07:56

thanks all

situation is as follows

other than root and myself users shown for each of the commands:

TOP (monitoring activity)
mysql
mythtv
haldaemo - occasionally
messageb - occasionally

TOP -w gave these additional users from the time i ran it
syslog
108
avahi
avahi
daemon
111
111
ntp
kernoops

LAST
this only showed me and 'reboot' on the list

/var/log/secure
i don't have a folder for this

how does this look?
maybe mysql or mythtv bust in the upgrade and casue the problem?

regarding the possibility of a nobody account - how do i tell that this is the problem?

many thanks

diss

hooFlungDung · 4 Nov 2009 at 11:50

The 'nobody' account is used by users or software processes that don't need and shouldn't have any special permissions - NFS and directory services for example. Some daemons such as fingerd also use it - it's just an anonymous account and chances are that this is not a problem.

Iirc, actually turning it off could give you some problems, so ignore my previous post.

Are you sure that you don't have a /var/log directory though? This is the location where all your log files are kept by the system. Handy for looking up logs of sessions and would give you more info.

If 'last' is only showing you and reboot on the list, you're probably fine. There must be something went a bit screwy in the upgrade.

.walls · 4 Nov 2009 at 18:06

the "users" command shows who is currently logged in.

Code:

# cat /etc/passwd

Shows all users of the system (not their passwords, they are stored in /etc/shadow in an encrypted format), have a look for anything odd (users 111 and 108 look very much like service accoutns, as the uids are pretty low), and as the poster above mentions, have a look in /var/log: if there is no secure log, have a look in messages - that's the usual default dumping ground for everything until it's configured properly.

Diss · 5 Nov 2009 at 05:38

hi

i get this, however i have no idea what shold or shouldn't be there

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13

roxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false
saned:x:106:113::/home/saned:/bin/false
pulse:x:107:114

ulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:117::/var/run/dbus:/bin/false
polkituser:x:109:118

olicyKit,,,:/var/run/PolicyKit:/bin/false
avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false
diss:x:1000:1000:diss,,,:/home/diss:/bin/bash
mysql:x:112:123:MySQL Server,,,:/var/lib/mysql:/bin/false
mythtv:x:113:124::/home/mythtv:/bin/sh
ntp:x:114:125::/home/ntp:/bin/false
sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin
speech-dispatcher:x:116:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
couchdb:x:117:116:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
kernoops:x:118:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false

how does this look?

i do have a var/log directory - but what am i looking for in it?

many thanks

diss

hooFlungDung · 5 Nov 2009 at 08:29

Diss said:
hi

i get this, however i have no idea what shold or shouldn't be there......

Yeah - nothing wrong there. That's your background system services and nothing out of the ordinary.

Open a terminal and (as root) run:

more /var/log/secure

See what prints to the terminal. If that doesn't work then you'll need to trawl through /var/log/messages which can be quite long.

As root, run:

emacs /var/log/messages

(Assuming that you use emacs - if not, use gedit or something similar)

Tbh, everything looks ok. 'w', 'users', 'top' etc would have shown something if your system had been compromised. Like I said earlier, it's probably something went a bit weird when you updated.

See here as well: http://forum.eeebuntu.org/viewtopic.php?f=28&t=797

Diss · 6 Nov 2009 at 07:53

thanks for that

got a no file message for "more /var/log/secure"

the other suggestion worked but like you said there were pages of stuff

thanks all for taking the time to help with this

will probably leave it for now (maybe try uninstalling a few things) but will do a full reinstall at some point just to be sure

cheers

diss