How do i actually trace or find the source of this connected device is this? We doubt its illegal login

[-]

scristopher7@reddit

Oh, sorry, I thought you were being sarcastic and was laughing at a joke that wasn't there.

[-]

dcolecpa@reddit

Could you please explain these commands and what they show?

[-]

stoneG0blin@reddit

Just a tip. ChatGPT could do that on the fly. I'm using it often to explain commands.

[-]

justinDavidow@reddit

The first lists the processes owned by the specific user

The second shows what files are in use by those PID's

The third is the same as the second, but for a single pid.

Effectively this is just running lsof (LIst Open Files) for processes owned by this specific session.

[-]

Uhm, not quite. That ps command ... well Read The Fine Manual (RTFM) for ps(1), notably without - before the options, gets the BSD flavor of options, and the t option will limit it to processes that have the noted terminal as controlling terminal (terminal, not user)

And can read about ls and it's -l option likewise on the ls(1) man page. As for the /proc stuff, documented with the kernel ... exe is for the executable, and fd for the file descriptors (open numbers), and the {,} notation you can read about on the man page for your Korn/POSIX compatible shell, e.g. bash(1).

And again, not by user, or session, but by specific controlling/associated terminal, and sure, lsof likely has option(s) to do quite similar, probably even as a single command ... but what I gave doesn't even require lsof, just ps, ls, and teensy bit of shell (and really don't even need that if one expands out the arguments oneself, rather than having the shell do that - or ls could find the fd numbers under the fd directory(/ies).

[-]

dcolecpa@reddit

Thank you Michael

[-]

dcolecpa@reddit

Thank you Justin

[-]

artekau@reddit

check on your firewall?

[-]

Intergalactic_Ass@reddit

Computer, what is a pty? What is a tty? 🤦‍♂️

[-]

Upper-Inevitable-873@reddit

After all this I bet we find out it's you OP

[-]

autotom@reddit

lol it u

[-]

dizzygherkin@reddit

Tty2 is someone logged into the local console.

[-]

cibolajerry@reddit

Yes, but it could be coming from anywhere, though normally it is local. It could be an actual line coming in; it isn't necessarily a virtual terminal, it could be a physical terminal..

[-]

draeath@reddit

Wouldn't that be ttyS# and not tty#?

[-]

explodinghat@reddit

The call is coming from inside the house!

[-]

DSMRick@reddit

Best use of this meme ever.

[-]

daygamer77@reddit (OP)

Hi thanks for the response, when you say local console, it means means logged in physically?

[-]

Booty_Bumping@reddit

Pretty much. Either a screen, a serial port, or a teletypewriter.

[-]

allegedrc4@reddit

...yes...through a device physically attached to the server (or virtually if virtual).

[-]

FurryTreeSounds@reddit

If you used the "who" command to see this, the lastlog command should show you similar output.

If you're trying to figure out "what is scins actually doing?" try running ps -u scins.

[-]

-29-@reddit

The call is coming from inside the house.

[-]

sniff122@reddit

That is the local console, aka the screen that's plugged into the machine

[-]

daygamer77@reddit (OP)

Hi thanks for the response, when you say local console, it means means logged in physically?

[-]

shiftingtech@reddit

you still haven't answered the question about whether the machine in question is a physical machine, or something virtualized. As such, it's hard to give definitive answers. if it's a normal, physical computer, then that's the second session on the physical screen and keyboard.

[-]

daygamer77@reddit (OP)

Hi Sorry, its virtual..

[-]

shiftingtech@reddit

Then you need to turn your attention to whatever virtualization tool you're using. It should be able to tell you what sessions are connected

[-]

ForceBlade@reddit

So the person who logged in likely did so through the hypervisor you use. Such as logging into vsphere and opening the display of the virtual machine there

[-]

sniff122@reddit

Yeah. The physical monitor and keyboard, if it's a server it could also be via the BMC (like dell iDRAC, hp ILO, etc)

[-]

thewallacio@reddit

arp -a 192.168.110.133 and see if the MAC address vendor gives you an clues?

[-]

AtlanticPortal@reddit

It's literally the row before and the row after that one.

[-]

thewallacio@reddit

🤦
ffs. downvoting myself for blatant stupidity.

[-]

DarrenRainey@reddit

tty is always the local console i.e someone physically logged into that machine. Is this a physical server or a virtual machine? If its a virtual machine check the logs for your hypervisor (Typically VMWare ESXi, XEN, Proxmox etc.) and see who last logged in around that time / was changing things on that VM.

[-]

daygamer77@reddit (OP)

Hi thanks for the resposne, this is virtual.. so you suggest to look for logs on the hypervisor? thanks for the suggestion.

[-]

VirtualDenzel@reddit

Look at the hypervisor console. Someone logged in using that.

[-]

zqpmx@reddit

This reminds me of this.

When a stranger calls

https://youtu.be/OFgy2x5-TNg

[-]

Wrenky@reddit

The call is coming from inside the house 😨

[-]

mechanicalAI@reddit

What does the hypervisor’s management console logs look like? Do you see any unauthorized or authorized logins from there? In the past I experienced the same problem and freaked out but it turned out I logged in to the VM directly from the hypervisor itself. Regardless here are a few scenarios you might find helpful to track the root of that particular login.

1.  Automated Processes or Scripts: Some automated processes or background tasks might spawn additional TTYs for monitoring or logging purposes. Check for any scripts or daemons that may be running with elevated permissions and creating new TTY sessions.
2.  Misconfigured VM Settings: Sometimes, the VM might have configurations that allow for additional console access, either through misconfigured SSH settings or VM management tools. Ensure that console access is restricted in your hypervisor (like VMware, VirtualBox, or KVM) settings.
3.  Virtual Console Access (Hypervisor): Certain hypervisors provide direct console access, which can spawn additional TTY sessions that appear as if they’re logged into the system. Make sure there is no unauthorized access to the VM’s management interface, as this could allow users to access the virtual console.
4.  Exploit or Unauthorized Access: While uncommon, it is possible that someone has gained unauthorized access. Check your system’s auth.log or secure.log files to look for any unusual login attempts, especially if you’re running SSH or have exposed the VM in any network environment.
5.  Check for Root Kits or Intrusions: Run checks with tools like chkrootkit or rkhunter to ensure there are no rootkits or signs of compromise. Unauthorized logins through tty2 might indicate a potential compromise if the VM is accessible over a network.

Steps to Take

•   Audit Logs: Look through /var/log/wtmp, /var/log/btmp, and /var/log/auth.log for unusual login patterns or repeated attempts to access tty2.
•   Disable Unused TTYs: If this is a concern, consider disabling unnecessary TTYs (such as tty2) in /etc/inittab or /etc/systemd/system/getty.target.wants/.
•   Monitor Network Activity: Use netstat or similar tools to observe any unexpected connections or services that might indicate unauthorized access.
•   Check Hypervisor Access Control: Make sure only authorized personnel can access the VM console through the hypervisor.

[-]

bzImage@reddit

is this a joke ?

[-]

Dave_A480@reddit

tty means it's the physical screen/keyboard if it's bare-metal, or the virtual-machine console if it's a VM...

[-]

daygamer77@reddit (OP)

thanks for the response this is virtual

[-]

vmxnet4@reddit

Physical or Virtual machine?

If physical, it's not impossible to connect via serial console over a network (i.e.: Digi or Lantronix serial console devices). I used to set those things up at banks all the time so tellers would have a direct console terminal session to the UNIX-based banking server in the back.

If virtual, it's likely someone accessing it via the VM's console.

Probably other explanations too. Those are just 2 off the top of my head.

[-]

aqcz@reddit

tty2 is not a serial console though, that would be named ttyS2 or similar. Also those serial consoles are mostly a thing from the past nowadays, servers usually have some BMC and desktops may be able to use AMT (not sure if console works there too).

[-]

Intrepid_Anybody_277@reddit

You need to find the server/PC ornrack thisnhost is connected to.

Its.logged in it all.

[-]

serverhorror@reddit

Virtual Machine?

Try looking at the console and Alt+D2, if not: head to the server room and have a keyboard and monitor ready.

[-]

daHaus@reddit

Is that a local machine? tty2 is local