FYI: root@notty

I assume most people know this, but for the benefit of those who get paged at 4am and are maybe not at their mental prime, here it goes:

If you see “sshd: root@notty” in your process list and find yourself wondering what box “notty” is and assuming you’ve been hacked and it’s some malicious connection to some mysterious box named “notty”… Relax. “notty” isn’t a mysterious hostname. In keeping with all the other “sshd: root@pts/1” sort of entries you might see, it’s the TTY the connection is on, not the hostname. Or, in this case, it’s no TTY, because it’s something like scp, not an interactive session.

28 thoughts on “FYI: root@notty

  1. Ok, can’t even use the 4am as an excuse, since its only 2pm… Sure is glad I googled mr ‘notty’ however, before I started to cry wolf – you just spared me for an embarrasing moment there 😉

  2. Me 3…
    But I went through killing all the procceses and changing all the passwords, only to see it pop back up then I googled it…

  3. Wow .. praise google. .. I was checking a server for some strange things going on, looked at the task list .. and almost thought the bad guys were in … 😐

    (btw ‘just’ 1:20 AM)

  4. had a similar question&problem and found out that i had my WINSCP configured to connect with ssh, so this produced that process and i thought it’s someone else since i used a different ssh software simultaneously 😉

  5. Bwa-ha-ha-ha-ha. I love it. notty box != naughty box.

    Well, i get to put my old password back. Couldn’t figure out how anyone managed to guess N67y34P00s255.

  6. Thanks, I’d seen this in our htop process list and gotten a bit more suspicious each time I saw it. I quit my SCP connection to the server to double check and the root@noTTY process disappeared confirming you’re right.

Leave a Reply to Matt Stevens Cancel reply

Your email address will not be published. Required fields are marked *