On Sun, 11 Jan 2009, Dotan Cohen wrote:
On a machine that I have root access to, how can I see who is logged
into the machine? Specifically, I suspect that a malicious entity is
logging on in a compromised account over SSH, even while the account's
user is sitting at the machine and logged in, so if I can catch two
simultaneous login sessions (one on the physical hardware, one over
ssh) then I can be sure. Thanks.
w and who have been mentioned. I generally prefer finger (which runs
quite happily locally without a fingerd to connect to).
You probably also want to look at last[1] which will show a history of
when users were logged in.
But...
If you really think the a/c has been compromised then don't wait for the
baddie to log in again. Lock the account. Scan the box for anomalies
(eg, checkrootkit) and take a particular interest in that a/c.
If you don't find any evidence that the baddie broke root then may wish to
reset the a/c password and move on. If you find any evidence that the
baddie broke root then best practice is to restore the box from known good
backups. You can never guarantee that you found all of the backdoors that
a cracker may have left on a system.
I'll stop now as there is a lot more I could say on this topic but it
isn't necessary at this stage.
[1] I comment out the entry concerning wtmp in
/etc/logrotate.conf as this allows the login history to remain
indefinitely. Even for multi-user boxes that have been running for years
I haven't found a problem doing this. wtmp is tiny so disk space is
hardly an issue.
Cheers,
Rob
--
I tried to change the world but they had a no-return policy
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
