居然发现who 一看 N个root在系统中 汗啊~!
[root@localhost log]# last | tac 的输出
root pts/3 Sun Jan 15 18:17 - 18:17 (00:00)
root pts/3 :2.0 Sun Jan 15 18:17 - 23:12 (2+04:54)
root pts/6 Sun Jan 15 18:28 - 18:28 (00:00)
root pts/6 :4.0 Sun Jan 15 18:28 - 23:12 (2+04:44)
root pts/3 Sun Jan 15 18:17 - 18:17 (00:00)
root pts/3 :2.0 Sun Jan 15 18:17 - 23:12 (2+04:54)
root pts/6 Sun Jan 15 18:28 - 18:28 (00:00)
root pts/6 :4.0 Sun Jan 15 18:28 - 23:12 (2+04:44)
[root@localhost log]# who
root pts/2 Jan 15 18:06 (:1.0)
root pts/4 Jan 15 18:09
root pts/5 Jan 15 18:10 (:1.0)
root pts/3 Jan 15 18:17 (:2.0)
root pts/6 Jan 15 18:28 (:4.0)
root pts/2 Jan 15 18:06 (:1.0)
root pts/4 Jan 15 18:09
root pts/5 Jan 15 18:10 (:1.0)
root pts/3 Jan 15 18:17 (:2.0)
root pts/6 Jan 15 18:28 (:4.0)
找来找去 没发现什么异常
google一下 还好
google一下 还好
who command shows more users than actual exists?
Often this means that your utmp file is corrupted. When files like
that go bad, different commands interpret them differently.
that go bad, different commands interpret them differently.
Most likely, because there's something in some of your login/logout
procedures that corrupts the file sometimes.
procedures that corrupts the file sometimes.
Can I simply delete utmp? will it recreate itself?
Just truncate it to size zero .
> /var/run/utmp
who
没有输出了
who
没有输出了
重新登陆后正常
> root 169 0.0 0.5 1148 644 ? S 08:23 0:00 /sbin/rpc.statd Do you use NFS? If not, get rid of this. > root 193 0.0 0.4 1300 552 ? S 08:23 0:00 /usr/sbin/inetd I assume you use this for telnet and FTP. Make sure other services are commented out in /etc/inetd.conf. > root 201 0.0 0.4 1352 560 ? S 08:23 0:00 /usr/sbin/lpd Do you print from this machine? If not, get rid of this. > nobody 256 0.0 2.0 3616 2596 ? S 08:23 0:00 /usr/bin/X11/xfs-xtt -user nobody Don't really need font serving on a colo box. > root 260 0.0 1.2 1556 1548 ? SL 08:23 0:00 /usr/sbin/ntpd Do you use this? I think it's for time synchronization serving, though it might be a client. Maybe try rdate if you just need a client. > daemon 265 0.0 0.4 1140 544 ? S 08:23 0:00 /usr/sbin/atd If you don't use this, get rid of it. Malicious users can schedule tasks for when they're not logged in. Just a couple thoughts on ways to tighten things. |
相关热门文章
给主人留下些什么吧!~~
评论热议