PDA

View Full Version : how to "kick" a shell user


Ovidiu
28th October 2005, 17:34
I have been unsuccessful in finding the right way to logout a user who did not log out from his session by using google although I have been searching for severall hours. maybe I was using the wrong serach terms, or whatever,

if I use who I see a user ist still loggesd into my system, he is a legitimate user whose session might have been interrupted by a failure. I have googled around and only found the advice to use skill with the user but that does not seem to work.

anyone more specific instructions? (I haven't yet read the man page for skill but is skill the solution or is there another command for this?)

till
28th October 2005, 17:45
You can remove them with the kill command. Example:

kill -9 PID

Where PID is the process ID of the lost session.

Ovidiu
28th October 2005, 18:02
so you mean if the lost session was a ssh one, I should see a zombie process or maybe running process of sshd belonging to this user?

till
28th October 2005, 18:13
so you mean if the lost session was a ssh one, I should see a zombie process or maybe running process of sshd belonging to this user?

Yes, you can try this. Make an SSH session for a user with e.g. putty by looging in, then close putty without logging out. When you login as root and execute "ps -aux" you will see the old SSH session in the process list.

But normally it is not nescessary to kill them manually, as SSH will kill lost sessions after some time.

falko
28th October 2005, 18:14
You should see something like this:

root 2481 0.0 1.0 14452 2040 ? Ss 12:52 0:00 sshd: root@pts/1
root 2484 0.0 0.8 2980 1624 pts/1 Ss 12:52 0:00 -bash
The first line is for a user logged in as root over SSH, the second one is working directly on the system.

To kill the first process run
kill -9 2481

to kill the second:
kill -9 2484

Ovidiu
28th October 2005, 19:22
strange:

hxxxx:/var/www/web7/user/web7_postmaster# who
web7_pos pts/1 Oct 28 18:06 (82.77.xxx.xxx)
falko pts/2 Oct 9 13:29


so falko is logged on, right?

hxxxx:/var/www/web7/user/web7_postmaster# uptime
18:13:46 up 37 days, 18:24, 2 users, load average: 0.19, 0.10, 0.10


seems to be right.

hxxxx:/var/www/web7/user/web7_postmaster# ps aux |grep falko
root 27271 0.0 0.1 1992 700 pts/1 S+ 18:14 0:00 grep falko


It should show me a process of falko here, right? but it doesn't. this seems to be my own personal ghost in the machine

till
28th October 2005, 19:37
Hi,

you are logged in as root? Then you can try this:

ps -aux | grep 'pts/2'

If you dont get any valid output, i recommend to call for a GostBuster ;)
Or in case of a server rootkit-hunter http://www.rootkit.nl

Ovidiu
28th October 2005, 20:02
I am logged in as web7_postmaster, then did a sudo su

hxxxx:/etc/logcheck# ps aux | grep 'pts/2'
web7_po 28061 0.0 0.4 6580 2564 ? S 18:25 0:00 sshd: web7_postmaster@pts/2
web7_po 28062 0.0 0.3 3768 1908 pts/2 Ss 18:25 0:00 -bash
root 28065 0.0 0.3 3208 1752 pts/2 S 18:25 0:00 bash
root 30999 0.0 0.1 2388 868 pts/2 R+ 18:59 0:00 ps aux
root 31000 0.0 0.1 1992 700 pts/2 S+ 18:59 0:00 grep pts/2

falko
29th October 2005, 19:45
Why don't you simply run ps aux as root and have a look at all running processes instead of messing around with grep?

Ovidiu
31st October 2005, 13:01
well, a ps aux does not show a process related to falko either...
might be an error of who, I have to further study this using google.
you see I was just wondering, because after installing hotsanic, I realized I had constantly one logged in user, so I found who and wondered how to kick this one user,... strange I have to look this up, how who finds out who is logged in, maybe it uses cached data or whatever..

till
31st October 2005, 13:13
Have you installed and run rkhunter as i suggested above? If you dont see all logged in users with ps-aux, a rootkit might be installed on your system!

Ovidiu
2nd November 2005, 14:17
yes I installed , updated and ran rkhunter. it found nothing suspicious and I doubt it will. this seems to be something else. I am on the road this week so I can't do much, except check quickly for mails, I'll be back at this post next week.

hexadec
16th June 2008, 23:56
Hi there,

I know I'm 3 years late with that post, but I almost fell off my chair...
http://bp2.blogger.com/_YxqJFnCxl14/SBug3HSxsyI/AAAAAAAAACc/VkAjGvxOQ5k/s1600-h/montypythonkick.png
http://thewinningmove.blogspot.com/2008/05/bash-kick-quick-way-to-get-rid-of.html
LOL
0xA