I am seeing something strange running the w command and need help understanding it

So I was checking around the server after a while of not looking on it and ran the w command:

 01:10:46 up 11 days,  2:53,  2 users,  load average: 0.00, 0.05, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1     -                Tue21    2days  0.74s  0.60s -bash
root     pts/0    86.x.xxx.xx      22:18    0.00s  0.28s  0.00s w

I should be the only one on the server, and had no clue what this tty1 was or is doing so I ran ps -aef --forest | grep bash and found this one in particular

root         617       1  0 Aug01 tty1     00:00:00 /bin/login -p --

When I ran a kill -9 617 and checked w it had gone:

 01:11:18 up 11 days,  2:54,  1 user,  load average: 0.12, 0.07, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    86.x.xxx.xx      22:18    5.00s  0.29s  0.00s w

What is that? I Googled what /bin/login -p -- was but only got information about the --. How was there a root logged in?

Solution 1:

One worrying possibility is that someone logged in as root. I can reproduce something very similar on my machine. First, I enabled root ssh access by adding this to /etc/ssh/sshd_config:

PermitRootLogin yes

And then restarted the sshd service:

sudo service sshd restart

And logged in as root (note that I have enabled the root account on this machine, have you done the same?):

ssh root@localhost

Now, when I run w, I see:

$ w
 17:06:36 up 3 min,  2 users,  load average: 1.98, 0.97, 0.38
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
terdon   :0        17:04   ?xdm?  29.31s  0.01s /usr/lib/gdm-x-s
root     pts/3     17:06   24.00s  0.00s  0.00s -bash

At the very least, you cannot rule out the possibility that an attacker gained access to your system. The only solution, in that case, is to restore from a backup or reinstall from scratch. If someone did get root access, there is simply no way of being sure they haven't done something bad otherwise.