Strange 'agetty' process running on my VPS.

Question

Recently, I had to reinstall one of my VPS servers (again), due to malware. I took what I considered to be pretty good security precautions. I also locked the root account and am using sudo as well. But one day later, I logged in and noticed the program 'agetty' was running on several TTY's :

root       382  0.0  0.0  12600   292 tty3     Ss+  Jun21   0:00 /sbin/agetty --noclear tty3 linux
root       383  0.0  0.0  12600   292 tty2     Ss+  Jun21   0:00 /sbin/agetty --noclear tty2 linux
root       384  0.0  0.0  12600   292 tty5     Ss+  Jun21   0:00 /sbin/agetty --noclear tty5 linux
root       385  0.0  0.0  12600   292 tty6     Ss+  Jun21   0:00 /sbin/agetty --noclear tty6 linux
root       386  0.0  0.0  12600   292 tty4     Ss+  Jun21   0:00 /sbin/agetty --noclear tty4 linux
root       387  0.0  0.0  12600   296 tty1     Ss+  Jun21   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102

Apparently agetty is an 'alternate getty' that is used for accessing a system via a serial console, or at least that's my understanding. So it seems that there is no legitmate reason for these processes to be running on my server. I emailed my provider about it, and they said that unless I configured this, it should not be running, and that it has nothing to do with their systems. That leads me to think that someone is trying to hack my server (again).

I have a few questions. First, is there any legit reason why I'm seeing these processes? Second, what do these options mean: --keep-baud console 115200 38400 9600 vt102 ? I was not able to fully understand what's going on from reading the man pages or from anything I've found online. Is it possible that somebody has managed to get a login console to my server and is trying to bruteforce their way in to get a shell? I checked the auth.log and syslog and did not find anything that indicated such activity.

I suppose I am just trying to figure out what this process is, and if it is malicious, how can I kill it? Rebooting the machine did not work... Any tips would be appreciated.

Answer 1

Those are default Linux "consoles" or virtual terminals (VTs), Alt+F1-F6. I don't remember seeing a system that didn't have them installed by default.

You'd disable them by removing them from your init/systemd/upstart/whatever scripts. Documentation for your Linux distribution probably mentions that.

Answer 2

(your system uses systemd if entering the ps -A command shows systemd with PID 1)

If your operating system uses systemd:

tty1 was instantiated by the command

/sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102

as your ps -A extract shows. tty1 is always started on startup. Why? See Lennart Poettering's post "systemd for Administrators, Part XVI: Gettys on Serial Consoles (and Elsewhere)" where he writes the explanation (VT means Virtual Terminal; Lennart Poettering is one of the developers of systemd):

Two VTs are handled specially by the auto-spawning logic: firstly tty1 gets special treatment: if we boot into graphical mode the display manager takes possession of this VT. If we boot into multi-user (text) mode a getty is started on it -- unconditionally, without any on-demand logic[2].

[2] Note that whether the getty on VT1 is started on-demand or not hardly makes a difference, since VT1 is the default active VT anyway, so the demand is there anyway at boot.

---

For other tty<N>: You may check if there is a tty service configured by entering:

systemctl is-enabled getty@tty<N>.service

Where <N> should be replaced with the tty identification number (for example tty2).

If the above check printed Failed to get unit file state for getty@tty<N>.service: No such file or directory, the service is not enabled. If the above check printed the message enabled, you may deactivate the tty service by entering:

systemctl disable getty@tty<N>.service

You may enable it again with:

systemctl enable getty@tty<N>.service