I assume most people know this, but for the benefit of those who get paged at 4am and are maybe not at their mental prime, here it goes:
If you see “sshd: root@notty” in your process list and find yourself wondering what box “notty” is and assuming you’ve been hacked and it’s some malicious connection to some mysterious box named “notty”… Relax. “notty” isn’t a mysterious hostname. In keeping with all the other “sshd: root@pts/1” sort of entries you might see, it’s the TTY the connection is on, not the hostname. Or, in this case, it’s no TTY, because it’s something like scp, not an interactive session.
Ok, can’t even use the 4am as an excuse, since its only 2pm… Sure is glad I googled mr ‘notty’ however, before I started to cry wolf – you just spared me for an embarrasing moment there 😉
Um me too… 12 am. THANK YOU!
Me 3…
But I went through killing all the procceses and changing all the passwords, only to see it pop back up then I googled it…
lol, thank you for this! I was just running through snort and the rest of my log files to see who was on my box!
Matt.
Wow .. praise google. .. I was checking a server for some strange things going on, looked at the task list .. and almost thought the bad guys were in … 😐
(btw ‘just’ 1:20 AM)
Thank you for that one:) Saved me a lot of time.
Thanks pal, my heart sunk when I saw that in my ps aux output and now I know what it is haha. Cheers.
12AM
Only 12PM here…
Thanks 😉
11:54pm here..
What’s a mental prime?
fine to see that i’m not the only one who didn’t know mr. notty …
I was quite confused when saw this @notty in my process list. notty=no tty, so simple 🙂
haha – thats all i could say… thanks
ummmmm 11:18 pm mr notty doing ok lol
PS Thanks!
😛
7.30am here, coffee hasn’t kicked in yet
no need to kill off Mr @notty it seems, thanks a lot 🙂
had a similar question&problem and found out that i had my WINSCP configured to connect with ssh, so this produced that process and i thought it’s someone else since i used a different ssh software simultaneously 😉
lmao! 1am here xD
Go ahead and believe this while I ransack your servers AHHHAHAHAA
Mr Notty
lol @ Mr notto
3.13 am here
Yes! Thanks! 11:55am Sunday, but still. Yawn.
2:06 am
Bwa-ha-ha-ha-ha. I love it. notty box != naughty box.
Well, i get to put my old password back. Couldn’t figure out how anyone managed to guess N67y34P00s255.
Haha, 9.42 am, hangover as hell, woke up and was all like who the fuck is notty!?!? Thx mate!
Thanks, I’d seen this in our htop process list and gotten a bit more suspicious each time I saw it. I quit my SCP connection to the server to double check and the root@noTTY process disappeared confirming you’re right.
What about 8600 failed logins :notty since last successful 24 hrs ago
Thank a lot. I have just seen it in my raspberry.
Thanks man, just save ma heart.
@10:30pm
12 years on and this post is still giving. Thanks Matt!