远程Linux TTY

Question

I am maintaining a Virtual Machine on a Cloud Service with Linux (SLES) operating system. At some point, someone logged in, did some major things (eg chmod 777 on ALL files, etc) and, with some other things that he did, messed up the system.

It would be no surprise if he actually hacked it, but... The vm is hosted inside a VPN (unreachable from outside the VPN), and last root command specifies a user connected through tty1 (!!!), with no IP address, while all my connections, root and user are pts/X .

My thoughts (not like I am an expert) are concluding on one thing, this user must have physical (?) access to cloud service, since tty is reachable locally. Which means, that if that is true, the "attacker" must be someone from inside the Cloud-Service hosting company.

Question: Is there ANY way you can connect remotely to a server/cloud service virtual machine using ttyX?

Correct me at any point you see wrong; as I mentioned I am not an expert but I am more than willing to learn.

Answer 1

Depending on the hypevisor, it provides a remote console, so, it is kind of local console connected from a remote place. Also, there is a ipmi protocol that can connected to the hypervisor and use the sol (serial-over-lan) command.

Other than that, the user might be connecting using a VNC, that would also be shown as a tty connection

IPMI SOL: http://www.alleft.com/sysadmin/ipmi-sol-inexpensive-remote-console/

Remote qemu guest console: How to switch to qemu monitor console when running with "-curses"

VNC on guests: https://askubuntu.com/questions/262700/qemu-kvm-vnc-support