Problem with same user being logged in twice

I have been having a problem where somehow the other user on this computer gets logged in twice. Same name and password, but the desktop is completely different. And somehow it has a picture that I am not sure where is even saved set as the background. I noticed the duplicate user again when I was unlocking my session, so I logged into it and logged it off. Instead of going back to one of the other locked sessions, it went back to the main log in screen. That must have something to do with it because I logged in and now I have a duplicate, only mine looks the same. This is really weird and I’ve never had it happen before. Any ideas?

O.K., I noticed that I could switch to a user that is already on from the log in screen, but now the log in screen is taking up a virtual terminal and is named “unused”. I also ran users in terminal and it says I am logged in three times and the other user twice. I’m sure restarting will make it go away, but it will just come right back. There must be some way to stop that because it is annoying and has to be taking some resources at least.

i am not a guru on this and hope a real on comes along to help you…

BUT, i’m on a stand alone desktop machine and no one else on earth has
had access to it, and, i confident it has not been breached (security
wise) via a net bad guy…(of course, i may be wrong)

and, if i execute the command users in a terminal i see that i’m
on this system right now, FOUR times…

i’m not sure how but i think (for example) some of the things i run
automatically on system startup count as another me…

let me ask, how often do you log into KDE/Gnome as root?


natural_pilot

Sorry if stating the obvious & just to rule this out… Are there maybe two users with the same name but created with different caps? (e.g. User and user?). …as Linux is case sensitive.

My first thought is maybe you have a autologin set for the first user… but that’s very strange seeing the user is logged in without you doing so or seeing it happen at boot time.

As natural_pilot states it could be someone hacked in, but it could also be some misconfiguration or other…?

A little more info on your setup would be of value… Which DE (KDE, GNOME, …) are you using or have you maybe setup multiple DE’s?
Have you been testing stuff recently that might have created this dual user setup?

Are you sure this is happening? Can you reproduce it, i.e. create the situation of which you think users are logged in more than on time, and then post the result of:
who -a
And the same for:
ls -l /home
This way we can first find out if the user configuration is OK

hito kiri adjusted his/her AFDB on Friday 05 Jun 2009 03:46 to write:

>
> I have been having a problem where somehow the other user on this
> computer gets logged in twice. Same name and password, but the desktop
> is completely different. And somehow it has a picture that I am not
> sure where is even saved set as the background. I noticed the duplicate
> user again when I was unlocking my session, so I logged into it and
> logged it off. Instead of going back to one of the other locked
> sessions, it went back to the main log in screen. That must have
> something to do with it because I logged in and now I have a duplicate,
> only mine looks the same. This is really weird and I’ve never had it
> happen before. Any ideas?
>
>

If you do a :

who -a

You will see that that user will probably have a few entries, here on my
machine I show:

system boot 2009-06-07 23:55
2009-06-07 23:55 1572 id=si term=0
exit=0
run-level 5 2009-06-07 23:55 last=S
2009-06-07 23:56 3289 id=l5 term=0
exit=0
barkit ? :0 2009-06-07 23:56 ? 4879 (console)
LOGIN tty1 2009-06-07 23:56 5962 id=1
LOGIN tty2 2009-06-07 23:56 5964 id=2
LOGIN tty3 2009-06-07 23:56 5965 id=3
LOGIN tty4 2009-06-07 23:56 5974 id=4
2009-06-07 23:56 5979 id=5
LOGIN tty6 2009-06-07 23:56 5982 id=6
barkit - pts/0 2009-06-07 23:57 . 6124

notice my user is barkit, the :0 is the main physical console login and the
pts/0 is sorta like a pseudo console as opposed to a Virtual one, IIRC when
there used to be loads of people logged on to one unix machine using say a
keyboard and monitor with cables ( dumb terminal`ish ) then every time
someone opened a term another pts was spawned ( pts/0, pts/1 etc…)

Here I have just opened another console in KDE and look there is another
entry on pts/1:

furtlurker:/home/barkit # who -a
system boot 2009-06-07 23:55
2009-06-07 23:55 1572 id=si term=0
exit=0
run-level 5 2009-06-07 23:55 last=S
2009-06-07 23:56 3289 id=l5 term=0
exit=0
barkit ? :0 2009-06-07 23:56 ? 4879 (console)
LOGIN tty1 2009-06-07 23:56 5962 id=1
LOGIN tty2 2009-06-07 23:56 5964 id=2
LOGIN tty3 2009-06-07 23:56 5965 id=3
LOGIN tty4 2009-06-07 23:56 5974 id=4
2009-06-07 23:56 5979 id=5
LOGIN tty6 2009-06-07 23:56 5982 id=6
barkit - pts/0 2009-06-07 23:57 . 6124
barkit - pts/1 2009-06-08 18:55 . 27920

So there is nothing nefarious about having loads of them for just one user.

I am sure someone can explain in detail better than I can as the old grey
cells have long since been recycled since I studied them.

HTH


Mark

Nullus in verba
Nil illegitimi carborundum

The next time it happens I will post the output of those commands, but I just restarted the computer so it is only me logged on now.

There are only two users, excluding root, on the computer so it is not that one is capitalized and one isn’t. I am pretty sure the duplicates take up virtual terminals too, but I will have to see when it happens again, which shouldn’t be long.

hito kiri adjusted his/her AFDB on Monday 08 Jun 2009 23:36 to write:

>
> The next time it happens I will post the output of those commands, but I
> just restarted the computer so it is only me logged on now.
>
> There are only two users, excluding root, on the computer so it is not
> that one is capitalized and one isn’t. I am pretty sure the duplicates
> take up virtual terminals too, but I will have to see when it happens
> again, which shouldn’t be long.
>
>

They should not use VT`s unless the user is logging into a VT as well as the
normal xserver.

Here you will see barkit logged onto KDE and also running yakuake ( console
) as su:

furtlurker:/home/barkit # who -a
system boot 2009-06-08 23:44
2009-06-08 23:44 1622 id=si term=0
exit=0
run-level 5 2009-06-08 23:44 last=S
2009-06-08 23:45 3339 id=l5 term=0
exit=0
LOGIN tty1 2009-06-08 23:45 4869 id=1
LOGIN tty2 2009-06-08 23:45 4870 id=2
2009-06-08 23:45 4873 id=3
LOGIN tty4 2009-06-08 23:45 4878 id=4
2009-06-08 23:45 4879 id=5
LOGIN tty6 2009-06-08 23:45 4881 id=6
barkit ? :0 2009-06-08 23:45 ? 4952 (console)
barkit - pts/0 2009-06-08 23:46 . 5212

Now here after pressing Ctrl+Alt+F2 and logging in also as barkit at a vt
you will notice that there are 3 entries and one is on tty2 which is the vt.

furtlurker:/home/barkit # who -a
system boot 2009-06-08 23:44
2009-06-08 23:44 1622 id=si term=0
exit=0
run-level 5 2009-06-08 23:44 last=S
2009-06-08 23:45 3339 id=l5 term=0
exit=0
LOGIN tty1 2009-06-08 23:45 4869 id=1
barkit + tty2 2009-06-09 00:18 . 4870
2009-06-08 23:45 4873 id=3
LOGIN tty4 2009-06-08 23:45 4878 id=4
2009-06-08 23:45 4879 id=5
LOGIN tty6 2009-06-08 23:45 4881 id=6
barkit ? :0 2009-06-08 23:45 ? 4952 (console)
barkit - pts/0 2009-06-08 23:46 . 5212
furtlurker:/home/barkit #

( please do excuse the usernames ha ha ha… this is just my sand box machine
and it gets harder to think up stupid usernames after a few years ) :slight_smile:

If you are really worried why not install rkhunter ( in the repos ) and let
it do a scan or set it up in cron by using YaST>System>/etc/sysconfig
Editor>System>Security>rkhunter here you can set different var to suit you.

This will scan the machine for rootkits and send the log to a designated
local mailbox ( root by default ) if you setup a user to receive system mail
they will get it. Do not forget to setup the account in your mail reader as
a local box or just use the :

mail

command in a term or console for a easy quick text mail reader.

You can also have a look at the rkhunter log files in /var/log/

The only warning I get on my machine is that it has found a :

<<–snip–>>

Warning: Hidden file found: /etc/.fstab.swp: Vim swap file, version 7.2

<<–pins–>>

and I just ignore that as it is fine.

HTH


Mark

Nullus in verba
Nil illegitimi carborundum

It happened again so here are the outputs of the commands.

who -a :

run-level 5 2009-06-14 22:57 last=S
system boot 2009-06-14 22:57
LOGIN tty1 2009-06-14 22:58 4362 id=1
2009-06-06 14:47 4549 id=l6
2009-06-14 22:58 2215 id=l5 term=0 exit=0
LOGIN tty1 2009-03-31 17:58 4123 id=1
LOGIN tty2 2009-06-14 22:58 4364 id=2
LOGIN tty3 2009-06-14 22:58 4365 id=3
LOGIN tty4 2009-06-14 22:58 4368 id=4
LOGIN tty5 2009-06-14 22:58 4369 id=5
2009-06-14 22:58 4372 id=6
seth ? :0 2009-06-19 13:20 ? 27184 (console)
2009-06-10 15:01 27225 id=l0
LOGIN tty5 2009-03-31 17:58 4130 id=5
2009-06-14 22:57 751 id=si term=0 exit=0
LOGIN tty6 2009-04-02 21:36 4132 id=6
LOGIN tty4 2009-04-04 03:20 4149 id=4
LOGIN tty6 2009-04-14 01:14 4203 id=6
seth + pts/1 2009-06-17 17:36 old 16528
LOGIN tty6 2009-04-15 23:31 4268 id=6
seth ? :1 2009-06-17 17:36 ? 16370 (localhost)
seth + pts/0 2009-06-19 13:20 old 27310
heathur + pts/2 2009-06-20 23:55 old 15781
LOGIN tty5 2009-04-25 22:37 4391 id=5
LOGIN tty6 2009-04-25 23:05 4337 id=6
LOGIN tty5 2009-05-04 19:57 4429 id=5
heathur ? :2 2009-06-20 23:55 ? 15621 (localhost)
LOGIN tty6 2009-05-21 19:43 4385 id=6
LOGIN tty4 2009-05-23 12:03 4402 id=4
LOGIN tty6 2009-05-25 21:33 4463 id=6
LOGIN tty5 2009-05-26 21:07 4359 id=5
LOGIN tty6 2009-05-26 21:07 4363 id=6
2009-05-26 21:14 5812 id=l3 term=0 exit=0
LOGIN tty6 2009-05-26 21:23 4367 id=6
LOGIN tty4 2009-05-31 09:43 4397 id=4
LOGIN tty6 2009-06-14 22:58 4372 id=6
seth - pts/3 2009-06-22 18:47 . 16915

ls -l /home:

total 40
-rw------- 1 root root 7168 2009-06-22 18:49 aquota.group
-rw------- 1 root root 7168 2009-06-22 18:49 aquota.user
drwxr-xr-x 50 heathur users 4096 2009-06-20 23:55 heathur
drwx------ 2 root root 16384 2009-03-31 13:37 lost+found
drwxr-xr-x 51 seth users 4096 2009-06-22 18:39 seth

I am not sure what I should be looking for so any help is welcomed!