how to "kick" a shell user

Discussion in 'Server Operation' started by Ovidiu, Oct 28, 2005.

  1. Ovidiu

    Ovidiu Active Member

    I have been unsuccessful in finding the right way to logout a user who did not log out from his session by using google although I have been searching for severall hours. maybe I was using the wrong serach terms, or whatever,

    if I use who I see a user ist still loggesd into my system, he is a legitimate user whose session might have been interrupted by a failure. I have googled around and only found the advice to use skill with the user but that does not seem to work.

    anyone more specific instructions? (I haven't yet read the man page for skill but is skill the solution or is there another command for this?)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can remove them with the kill command. Example:

    kill -9 PID

    Where PID is the process ID of the lost session.
     
  3. Ovidiu

    Ovidiu Active Member

    so you mean if the lost session was a ssh one, I should see a zombie process or maybe running process of sshd belonging to this user?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, you can try this. Make an SSH session for a user with e.g. putty by looging in, then close putty without logging out. When you login as root and execute "ps -aux" you will see the old SSH session in the process list.

    But normally it is not nescessary to kill them manually, as SSH will kill lost sessions after some time.
     
  5. falko

    falko Super Moderator Howtoforge Staff

    You should see something like this:

    Code:
    root      2481  0.0  1.0 14452 2040 ?        Ss   12:52   0:00 sshd: root@pts/1
    root      2484  0.0  0.8  2980 1624 pts/1    Ss   12:52   0:00 -bash
    The first line is for a user logged in as root over SSH, the second one is working directly on the system.

    To kill the first process run
    Code:
    kill -9 2481
    to kill the second:
    Code:
    kill -9 2484
     
  6. Ovidiu

    Ovidiu Active Member

    strange:

    so falko is logged on, right?

    seems to be right.

    It should show me a process of falko here, right? but it doesn't. this seems to be my own personal ghost in the machine
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi,

    you are logged in as root? Then you can try this:

    ps -aux | grep 'pts/2'

    If you dont get any valid output, i recommend to call for a GostBuster ;)
    Or in case of a server rootkit-hunter http://www.rootkit.nl
     
  8. Ovidiu

    Ovidiu Active Member

    I am logged in as web7_postmaster, then did a sudo su

     
  9. falko

    falko Super Moderator Howtoforge Staff

    Why don't you simply run
    Code:
    ps aux
    as root and have a look at all running processes instead of messing around with grep?
     
  10. Ovidiu

    Ovidiu Active Member

    well, a ps aux does not show a process related to falko either...
    might be an error of who, I have to further study this using google.
    you see I was just wondering, because after installing hotsanic, I realized I had constantly one logged in user, so I found who and wondered how to kick this one user,... strange I have to look this up, how who finds out who is logged in, maybe it uses cached data or whatever..
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you installed and run rkhunter as i suggested above? If you dont see all logged in users with ps-aux, a rootkit might be installed on your system!
     
  12. Ovidiu

    Ovidiu Active Member

    yes I installed , updated and ran rkhunter. it found nothing suspicious and I doubt it will. this seems to be something else. I am on the road this week so I can't do much, except check quickly for mails, I'll be back at this post next week.
     
  13. hexadec

    hexadec New Member

Share This Page