On Sun, 11 Jan 2009, Dotan Cohen wrote:
On a machine that I have root access to, how can I see who is logged into the machine? Specifically, I suspect that a malicious entity is logging on in a compromised account over SSH, even while the account's user is sitting at the machine and logged in, so if I can catch two simultaneous login sessions (one on the physical hardware, one over ssh) then I can be sure. Thanks.
w and who have been mentioned. I generally prefer finger (which runs quite happily locally without a fingerd to connect to).
You probably also want to look at last[1] which will show a history of when users were logged in.
But...If you really think the a/c has been compromised then don't wait for the baddie to log in again. Lock the account. Scan the box for anomalies (eg, checkrootkit) and take a particular interest in that a/c.
If you don't find any evidence that the baddie broke root then may wish to reset the a/c password and move on. If you find any evidence that the baddie broke root then best practice is to restore the box from known good backups. You can never guarantee that you found all of the backdoors that a cracker may have left on a system.
I'll stop now as there is a lot more I could say on this topic but it isn't necessary at this stage.
[1] I comment out the entry concerning wtmp in /etc/logrotate.conf as this allows the login history to remain indefinitely. Even for multi-user boxes that have been running for years I haven't found a problem doing this. wtmp is tiny so disk space is hardly an issue.
Cheers, Rob -- I tried to change the world but they had a no-return policy