Ubuntu: Tracking weird root tty behavior


I randomly ran the finger command on my machine and these two lines came up in addition to my own user (the machine is fully mine):

root      root             *pZ�            Jul  5 15:25 (:0.0)  root      root             *^A              Jul 13 16:41 (:0.0)  

Does anyone know what this means? How can I find out more about who is logged in as root and what they're doing? (It could be me, but I can't recall running any sudo commands that didn't finish instantaneously).

EDIT: Thanks for taking a look at this. It turns out these are because of KVpnc - it creates one of these each time it's launched.


After using Finger command.

Login     Name       Tty      Idle  Login Time   Office     Office Phone  user      user       tty1        *  Jun  4 07:53  

* - after the terminal name states that write status permission is denied.

^ - If standard output is a socket, finger will emit a carriage return (^M) before every linefeed (^J). This is for processing remote finger requests when invoked by fingerd.

Source : Finger Manpage


The :0.0 part of those indicates that those are X11 (graphical desktop) logins. They could be because you have some terminals open on your desktop as root.

The answer to the following question might be related: https://superuser.com/questions/50935/what-does-it-mean-when-i-appear-twice-in-the-output-given-by-finger-on-ubuntu

The weird characters in the middle could be a character-encoding problem. Do you have a non-english language installed?

To see the list of all processes being run as root, you can run 'ps' and look for unusual processes:

ps -xeU root  

Note that, if it's a hacker or a rootkit, their tracks will probably be covered and you won't be able to see anything at this level. Use a tool like chkrootkit if you think that's likely.


It turns out these sessions were created because of KVpnc - it creates one of these each time it's launched.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »