Re: Who is logged into this box?
2009/1/12 Chris Jones : > On Sun, Jan 11, 2009 at 05:16:14PM EST, Dotan Cohen wrote: >> 2009/1/11 Robert Brockway : >> > On Sun, 11 Jan 2009, Dotan Cohen wrote: > >> Like fine underwear, passwords should be changed every few months for good >> measure. > > What? You recommend changing underwear every few months..?? > > I certainly envy you for the tolerant disposition of your relatives, friends, > or fellow workers. > I've heard it said once that passwords are like underwear: you don't share them with your friends, you don't hang them on your monitor, and you change them twice yearly. I only wish that I could take credit for that poetic quote. (it's an ingenious quote, because of the humour users tend to remember it) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Who is logged into this box?
On Sun, Jan 11, 2009 at 05:16:14PM EST, Dotan Cohen wrote: > 2009/1/11 Robert Brockway : > > On Sun, 11 Jan 2009, Dotan Cohen wrote: > Like fine underwear, passwords should be changed every few months for good > measure. What? You recommend changing underwear every few months..?? I certainly envy you for the tolerant disposition of your relatives, friends, or fellow workers. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
2009/1/11 Robert Brockway : > On Sun, 11 Jan 2009, Dotan Cohen wrote: > >> On a machine that I have root access to, how can I see who is logged >> into the machine? Specifically, I suspect that a malicious entity is >> logging on in a compromised account over SSH, even while the account's >> user is sitting at the machine and logged in, so if I can catch two >> simultaneous login sessions (one on the physical hardware, one over >> ssh) then I can be sure. Thanks. > > w and who have been mentioned. I generally prefer finger (which runs quite > happily locally without a fingerd to connect to). > > You probably also want to look at last[1] which will show a history of when > users were logged in. > > But... > > If you really think the a/c has been compromised then don't wait for the > baddie to log in again. Lock the account. Scan the box for anomalies (eg, > checkrootkit) and take a particular interest in that a/c. > > If you don't find any evidence that the baddie broke root then may wish to > reset the a/c password and move on. If you find any evidence that the > baddie broke root then best practice is to restore the box from known good > backups. You can never guarantee that you found all of the backdoors that a > cracker may have left on a system. > > I'll stop now as there is a lot more I could say on this topic but it isn't > necessary at this stage. > > [1] I comment out the entry concerning wtmp in /etc/logrotate.conf as this > allows the login history to remain indefinitely. Even for multi-user boxes > that have been running for years I haven't found a problem doing this. wtmp > is tiny so disk space is hardly an issue. > > Cheers, > > Rob > Thanks, Rob. Although I found no evidence of the breakin that I had suspected, I changed the password anyway. Like fine underwear, passwords should be changed every few months for good measure. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Who is logged into this box?
2009/1/11 Michael Shuler : > Since it has not been mentioned in the other replies, I would certainly > think that scrutiny of /var/log/auth.log is due. The logs should show > you when the user has logged in, and from what remote IP addresses. it > should be quite simple to correlate those times and locations with your > user. > Thank you, that did give me the information that I needed. > 'whois 11.22.33.44' on those IP addresses will get you an idea of the > physical location (not precise in all cases, but an idea) the logins > came from. > I did not realize that whois worked with IP addresses. Thanks. > In any case - do not delay changing that user's password to a new strong > one! > Done! Even though it was already strong (over 12 characters, AlphaNumeric of varying case) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Who is logged into this box?
On Sun, 11 Jan 2009, Dotan Cohen wrote: On a machine that I have root access to, how can I see who is logged into the machine? Specifically, I suspect that a malicious entity is logging on in a compromised account over SSH, even while the account's user is sitting at the machine and logged in, so if I can catch two simultaneous login sessions (one on the physical hardware, one over ssh) then I can be sure. Thanks. w and who have been mentioned. I generally prefer finger (which runs quite happily locally without a fingerd to connect to). You probably also want to look at last[1] which will show a history of when users were logged in. But... If you really think the a/c has been compromised then don't wait for the baddie to log in again. Lock the account. Scan the box for anomalies (eg, checkrootkit) and take a particular interest in that a/c. If you don't find any evidence that the baddie broke root then may wish to reset the a/c password and move on. If you find any evidence that the baddie broke root then best practice is to restore the box from known good backups. You can never guarantee that you found all of the backdoors that a cracker may have left on a system. I'll stop now as there is a lot more I could say on this topic but it isn't necessary at this stage. [1] I comment out the entry concerning wtmp in /etc/logrotate.conf as this allows the login history to remain indefinitely. Even for multi-user boxes that have been running for years I haven't found a problem doing this. wtmp is tiny so disk space is hardly an issue. Cheers, Rob -- I tried to change the world but they had a no-return policy -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
Dotan Cohen wrote: > On a machine that I have root access to, how can I see who is logged > into the machine? Specifically, I suspect that a malicious entity is > logging on in a compromised account over SSH, even while the account's > user is sitting at the machine and logged in, so if I can catch two > simultaneous login sessions (one on the physical hardware, one over > ssh) then I can be sure. Thanks. > Since it has not been mentioned in the other replies, I would certainly think that scrutiny of /var/log/auth.log is due. The logs should show you when the user has logged in, and from what remote IP addresses. it should be quite simple to correlate those times and locations with your user. 'whois 11.22.33.44' on those IP addresses will get you an idea of the physical location (not precise in all cases, but an idea) the logins came from. In any case - do not delay changing that user's password to a new strong one! -- Kind Regards, Michael Shuler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
On Sun January 11 2009, Tzafrir Cohen wrote: > > Just typing "w" (without the quotes) should be adequate. > > While we're at it: > > "w" # (with the quotes) will actually do the same thing on the shell ;-) wow.. fully formatted and much better info than even who -uT!!! -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
On Sun January 11 2009, Dotan Cohen wrote: > how can I see who is logged > into the machine? # who -uT pbc + tty7 2009-01-08 11:28 . 18900 (:0) pbc + pts/02009-01-08 15:58 . 19067 (:0.0) pbc + pts/12009-01-08 11:28 00:16 19067 (:0.0) cilla+ tty8 2009-01-08 18:11 00:58 28825 (:20) shows whether they are active & how long they have been logged in. and where from.. -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
2009/1/11 Koh Choon Lin : >>> "w" # (with the quotes) will actually do the same thing on the shell > > who has more info than w. :) > You tell me! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Who is logged into this box?
>> > Just typing "w" (without the quotes) should be adequate. >> >> While we're at it: >> >> "w" # (with the quotes) will actually do the same thing on the shell who has more info than w. :) -- Koh Choon Lin -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
On Sun, Jan 11, 2009 at 10:01:59 +, Tzafrir Cohen (tzaf...@cohens.org.il) wrote: > On Sun, Jan 11, 2009 at 09:01:57AM +, Bob Cox wrote: > > > Just typing "w" (without the quotes) should be adequate. > > While we're at it: > > "w" # (with the quotes) will actually do the same thing on the shell ;-) You are right - thank you! Next time I shall have to say something like "the quotes are not necessary", or, more correctly "the quotation marks are not necessary". Personally, I call them inverted commas, but I think that's a British English thing. -- Bob Cox. Stoke Gifford, near Bristol, UK. Please reply to the list only. Do NOT send copies directly to me. Debian on the NSLU2: http://bobcox.com/slug/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
On Sun, Jan 11, 2009 at 09:01:57AM +, Bob Cox wrote: > Just typing "w" (without the quotes) should be adequate. While we're at it: "w" # (with the quotes) will actually do the same thing on the shell ;-) -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
On Jan 11, 2009, at 4:16 AM, steve wrote: i often wondered where some of these commands got their name from myself. w? and that is short for user in what way?? It's short for "who(1)", which does much the same thing, but differently. Rick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
Dotan Cohen wrote: > 2009/1/11 steve : >> Dotan Cohen wrote: >>> On a machine that I have root access to, how can I see who is logged >>> into the machine? Specifically, I suspect that a malicious entity is >>> logging on in a compromised account over SSH, even while the account's >>> user is sitting at the machine and logged in, so if I can catch two >>> simultaneous login sessions (one on the physical hardware, one over >>> ssh) then I can be sure. Thanks. >>> >> I believe just type w in a command line should dump all users. >> > > What ever happened to long, complicated commands?!? > > Thanks! > ok lol w -h -u -s -f -o >users.txt i often wondered where some of these commands got their name from myself. w? and that is short for user in what way?? -- Steve Reilly http://reillyblog.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
2009/1/11 steve : > Dotan Cohen wrote: >> On a machine that I have root access to, how can I see who is logged >> into the machine? Specifically, I suspect that a malicious entity is >> logging on in a compromised account over SSH, even while the account's >> user is sitting at the machine and logged in, so if I can catch two >> simultaneous login sessions (one on the physical hardware, one over >> ssh) then I can be sure. Thanks. >> > > I believe just type w in a command line should dump all users. > What ever happened to long, complicated commands?!? Thanks! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Who is logged into this box?
On Sun, Jan 11, 2009 at 10:54:25 +0200, Dotan Cohen (dotanco...@gmail.com) wrote: > On a machine that I have root access to, how can I see who is logged > into the machine? Specifically, I suspect that a malicious entity is > logging on in a compromised account over SSH, even while the account's > user is sitting at the machine and logged in, so if I can catch two > simultaneous login sessions (one on the physical hardware, one over > ssh) then I can be sure. Thanks. Just typing "w" (without the quotes) should be adequate. -- Bob Cox. Stoke Gifford, near Bristol, UK. Please reply to the list only. Do NOT send copies directly to me. Debian on the NSLU2: http://bobcox.com/slug/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Who is logged into this box?
Dotan Cohen wrote: > On a machine that I have root access to, how can I see who is logged > into the machine? Specifically, I suspect that a malicious entity is > logging on in a compromised account over SSH, even while the account's > user is sitting at the machine and logged in, so if I can catch two > simultaneous login sessions (one on the physical hardware, one over > ssh) then I can be sure. Thanks. > I believe just type w in a command line should dump all users. -- Steve Reilly http://reillyblog.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Who is logged into this box?
On a machine that I have root access to, how can I see who is logged into the machine? Specifically, I suspect that a malicious entity is logging on in a compromised account over SSH, even while the account's user is sitting at the machine and logged in, so if I can catch two simultaneous login sessions (one on the physical hardware, one over ssh) then I can be sure. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
