Recently, I had to reinstall one of my VPS servers (again), due to malware. I took what I considered to be pretty good security precautions. I also locked the root account and am using sudo as well. But one day later, I logged in and noticed the program 'agetty' was running on several TTY's :
root 382 0.0 0.0 12600 292 tty3 Ss+ Jun21 0:00 /sbin/agetty --noclear tty3 linux
root 383 0.0 0.0 12600 292 tty2 Ss+ Jun21 0:00 /sbin/agetty --noclear tty2 linux
root 384 0.0 0.0 12600 292 tty5 Ss+ Jun21 0:00 /sbin/agetty --noclear tty5 linux
root 385 0.0 0.0 12600 292 tty6 Ss+ Jun21 0:00 /sbin/agetty --noclear tty6 linux
root 386 0.0 0.0 12600 292 tty4 Ss+ Jun21 0:00 /sbin/agetty --noclear tty4 linux
root 387 0.0 0.0 12600 296 tty1 Ss+ Jun21 0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
Apparently agetty is an 'alternate getty' that is used for accessing a system via a serial console, or at least that's my understanding. So it seems that there is no legitmate reason for these processes to be running on my server. I emailed my provider about it, and they said that unless I configured this, it should not be running, and that it has nothing to do with their systems. That leads me to think that someone is trying to hack my server (again).
I have a few questions. First, is there any legit reason why I'm seeing these processes? Second, what do these options mean: --keep-baud console 115200 38400 9600 vt102
? I was not able to fully understand what's going on from reading the man pages or from anything I've found online. Is it possible that somebody has managed to get a login console to my server and is trying to bruteforce their way in to get a shell? I checked the auth.log and syslog and did not find anything that indicated such activity.
I suppose I am just trying to figure out what this process is, and if it is malicious, how can I kill it? Rebooting the machine did not work... Any tips would be appreciated.