Monitoring Connections

There are many commands that can be used to monitor user connections. Generally, the commands used by a hacker to watch what is happening on a system are the same commands that a system manager uses to see the activity of a system. These commands report who is connected, how long they have been connected, and from where they are connected. They can also show what programs the users are running.

Connections can be monitored at many levels. At the lower levels, information about which interface, what port, or on what phone line the connection was made can be captured. At the higher levels, you can determine the user ID and the resources being used.

For most hackers, it is almost reflexive to check to see who is on the system as soon as they log in to determine if there is anyone on the system who might notice their presence. The system manager should also get into this habit, to see if there is anyone there who should not be on the system. Knowing what activities are appropriate on a system is the systems manager's greatest advantage.

Active Connections

Active connections are reported from the information in the log /etc/utmp . This file contains information about the current users on the system. All the programs that list the users currently logged in utilize this file. The login programs are responsible for logging this information into this log. There are some services which have options which do not report the connections and thus provide an easy method of connecting stealthfully. Hackers will replace system programs with Trojan horse programs which do not log their connections, and there are a variety of hacker programs that modify utmp. A system manager cannot trust the commands which report active connections to be reliable, especially if the system is suspected of being compromised.

Auditing provides an additional method of logging connections. The system manager should audit the connections to the system, which will indicate who logged on and from where, and this record can be compared to the utmp log to find the discrepancies.

Completed Connections

System logs record the activities of users and processes on a system after they have completed. The /etc/wtmp log contains connection information for completed connections. However, connection information can also be logged into the standard syslog facility, which can write logs to remote servers where they are less likely to be altered .

Dial-up Lines

Today, with the widespread availability of Caller ID, dial-up access can log not only the time and the user ID being used to gain access, but also the phone number from which the connection was made. You can use a printing Caller ID device which prints the time and telephone number or there are modems available that support Caller ID. These modems can be used with a modified login program to log the calling phone number into the standard logging environment.

This is a great help when it comes to tracking down the hacker. However, it does not eliminate false leads from connection laundering or from hackers who are able to hack the telephone system.

Network Connections

A socket is a connection between two systems over a specific port. Socket connections allow for program-to-program communication over the network. Sockets are the basis for all network-based processes. The network statistics command, netstat , with appropriate options, will show which sockets have active connections and to what systems the connections are made.