| < Day Day Up > |
|
In the “R-tools” section, we talked about how rwho lets you see the users logged in on remote Unix machines. If you’re local to a Unix box, however, you can use who, w, and last to obtain a great deal of information about the users currently logged in as well as their past login habits. Serious hackers will study user behavior carefully whenever possible to “blend in” as a regular user or to avoid activity during hours when administrative users are usually logged in.
These three tools are standard on Unix systems and can help both system administrators and hackers keep an eye on user behavior. Even though these commands are only local, you might prefer to keep access to these executables restricted to root—just in case.
Simply typing who at the command line of a Unix system will list the username, terminal/tty, and login dates of all currently logged in users. You can try different command-line options to format your output differently.
jjohnson@host:~% who gstuart pts/0 Feb 26 01:33 wave pts/1 Feb 24 09:21 schuster pts/0 Feb 25 15:23 jjohnson pts/2 Feb 26 00:37 jjohnson@host:~% who –H USER LINE LOGIN-TIME FROM gstuart pts/0 Feb 26 01:33 wave pts/1 Feb 24 09:21 schuster pts/0 Feb 25 15:23 jjohnson pts/2 Feb 26 00:37 jjohnson@host:~% who -H –i USER LINE LOGIN-TIME IDLE FROM gstuart pts/0 Feb 26 01:33 . wave pts/1 Feb 24 09:21 09:46 schuster pts/0 Feb 25 15:23 . jjohnson pts/2 Feb 26 00:37 . jjohnson@host:~% who -H -i –l USER LINE LOGIN-TIME IDLE FROM gstuart pts/0 Feb 26 01:35 . (192.168.1.10) wave pts/1 Feb 24 09:21 09:48 (10.10.4.3) schuster pts/0 Feb 25 15:23 . (10.10.4.15) jjohnson pts/2 Feb 26 00:37 . (192.168.1.100) jjohnson@host:~% who –q gstuart wave schuster jjohnson # users=4 johnson@host:~% who –m host!jjohnson pts/2 Feb 26 00:37
Here’s what’s going on: -H lists the headers for each column, -i includes idle time, -l includes the host they’ve logged in from, -q counts only the number of users, and –m tells us information about the user that is currently using standard input (that is, you!). You can keep an eye on currently logged in users with the who command.
How would you like to know what each user is doing at the moment? The w command will tell you what the user is currently running from his command shell as well as uptime statistics about the system.
jjohnson@host:~% w 1:45am up 3 days, 12:03, 4 users, load average: 1.55, 2.23, 2.35 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT gstuart pts/0 192.168.1.10 1:44am 55.00s 0.04s 0.04s ./nc –l –p 1812 –s 1 wave pts/1 10.10.4.3 Sun 9am 9:57m 0.14s 0.11s -bash schuster pts/1 10.10.4.15 Mon 3pm 9:57m 0.14s 0.11s pine jjohnson pts/2 192.168.1.100 12:37am 1.00s 0.35s 0.08s w
What about users who were logged in earlier but aren’t anymore? Have you ever logged into a Unix box and it tells you the last time you logged in? If you finger a user who isn’t currently logged in, the finger daemon will at least tell you the date and time of the user’s last login. How does the system keep track of this information?
It uses a binary user information database to store login records. These records are stored in two structures: utmp and wtmp. The details of utmp and wtmp are complex, but the last command lets you see who’s logged into the system, where they came from, and how long they stayed on. The information last can gather will go back as far as the system’s wtmp database goes back.
System administrators need tools to help them keep a close eye on their users. An occasional run of the w command can tell us what programs the users are currently running:
jjohnson@host:~% w 1:45am up 3 days, 12:03, 4 users, load average: 1.55, 2.23, 2.35 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT gstuart pts/0 192.168.1.10 1:44am 55.00s 0.04s 0.04s ./scan wave pts/1 10.10.4.3 Sun 9am 9:57m 0.14s 0.11s -bash schuster pts/1 10.10.4.15 Mon 3pm 9:57m 0.14s 0.11s pine jjohnson pts/2 192.168.1.100 12:37am 1.00s 0.35s 0.08s w
We can see that wave is idle at his bash command prompt, schuster is reading his mail, jjohnson is issuing the w command, but what's gstuart up to? He appears to be running a script called "scan" from his current working directory.
This seems a bit suspicious. Let's run last on our system to find out who's been logging in (and how often). Because we're going to get a ton of output from last on a busy system, we'll pipe it through the head utility (standard on most Unix systems) to read only the first few lines:
jjohnson@host:~% last | head ilof ftpd12204 ilofhost Tue Feb 26 02:00 still logged in ilof ftpd11820 ilofhost Tue Feb 26 01:59 - 02:00 (00:00) derk ftpd11786 10.10.4.88 Tue Feb 26 01:59 - 01:59 (00:00) gstuart pts/0 192.168.1.10 Tue Feb 26 01:59 still logged in rlessen ftpd11413 192.168.118.122 Tue Feb 26 01:59 - 01:59 (00:00) deskel ftpd11665 192.168.174.42 Tue Feb 26 01:59 - 01:59 (00:00) ilof ftpd11533 ilofhost Tue Feb 26 01:59 - 01:59 (00:00) derk ftpd11189 10.10.4.88 Tue Feb 26 01:58 - 01:58 (00:00) gstuart pts/0 192.168.1.10 Tue Feb 26 01:58 - 01:59 (00:01) deskel ftpd11053 192.168.174.42 Tue Feb 26 01:58 - 01:58 (00:00)
Here we can see the last 10 logged-in users and how long they were on the system. Most of the users appeared to FTP in and weren't in the system for long. What about gstuart? It seems he logged in recently but stayed on for only a minute. However, now he's logged in again. Let's take a look at his last few logins:
jjohnson@host:~% last | grep gstuart | head gstuart pts/0 192.168.1.10 Tue Feb 26 02:05 still logged in gstuart pts/0 192.168.1.10 Tue Feb 26 02:04 - 02:05 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 02:03 - 02:04 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 02:02 - 02:03 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 02:01 - 02:02 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 02:00 - 02:01 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 01:59 - 02:00 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 01:58 - 01:59 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 01:57 - 01:58 (00:01) gstuart pts/0 192.168.1.10 Tue Feb 26 01:56 - 01:57 (00:01)
Hmm…. This guy is definitely up to some weird stuff. He's logging in every minute, staying on for a minute, logging off, and then logging back on.
Now that we know gstuart is behaving strangely, we can take some other measures to watch his activity and capture what he's doing. We can immediately make a copy of his home directory to view offline, allowing us to see his command history, e-mail, and any tools he's recently downloaded and configured. We also see that he's been logging in on pts/0. Running the ps command gives us a list of all running processes so we can see which ones are running from TTY pts/0. Gstuart may have left some processes running that will give us a better indication of what he's up to. As we gather more information, we can locate more advanced, specific tools to help us put all the pieces together and retrace his steps—but it all started with two simple system utilities.
| < Day Day Up > |
|