Re: Who is logged into this box?

To: "Robert Brockway" <robert@timetraveller.org>
Cc: debian-user. <debian-user@lists.debian.org>
Subject: Re: Who is logged into this box?
From: "Dotan Cohen" <dotancohen@gmail.com>
Date: Mon, 12 Jan 2009 00:16:14 +0200
Message-id: <[🔎] 880dece00901111416w681be7a9s61726900ce1626f7@mail.gmail.com>
In-reply-to: <[🔎] alpine.DEB.1.10.0901111422390.16902@castor.opentrend.net>
References: <[🔎] 880dece00901110054i383a2286j46c280826c04c497@mail.gmail.com> <[🔎] alpine.DEB.1.10.0901111422390.16902@castor.opentrend.net>

2009/1/11 Robert Brockway <robert@timetraveller.org>:
> On Sun, 11 Jan 2009, Dotan Cohen wrote:
>
>> On a machine that I have root access to, how can I see who is logged
>> into the machine? Specifically, I suspect that  a malicious entity is
>> logging on in a compromised account over SSH, even while the account's
>> user is sitting at the machine and logged in, so if I can catch two
>> simultaneous login sessions (one on the physical hardware, one over
>> ssh) then I can be sure. Thanks.
>
> w and who have been mentioned.  I generally prefer finger (which runs quite
> happily locally without a fingerd to connect to).
>
> You probably also want to look at last[1] which will show a history of when
> users were logged in.
>
> But...
>
> If you really think the a/c has been compromised then don't wait for the
> baddie to log in again.  Lock the account.  Scan the box for anomalies (eg,
> checkrootkit) and take a particular interest in that a/c.
>
> If you don't find any evidence that the baddie broke root then may wish to
> reset the a/c password and move on.  If you find any evidence that the
> baddie broke root then best practice is to restore the box from known good
> backups.  You can never guarantee that you found all of the backdoors that a
> cracker may have left on a system.
>
> I'll stop now as there is a lot more I could say on this topic but it isn't
> necessary at this stage.
>
> [1] I comment out the entry concerning wtmp in /etc/logrotate.conf as this
> allows the login history to remain indefinitely.  Even for multi-user boxes
> that have been running for years I haven't found a problem doing this.  wtmp
> is tiny so disk space is hardly an issue.
>
> Cheers,
>
> Rob
>

Thanks, Rob. Although I found no evidence of the breakin that I had
suspected, I changed the password anyway. Like fine underwear,
passwords should be changed every few months for good measure.

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه‍-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü

Reply to:

Follow-Ups:
- Re: Who is logged into this box?
  - From: Chris Jones <cjns1989@gmail.com>

References:
- Who is logged into this box?
  - From: "Dotan Cohen" <dotancohen@gmail.com>
- Re: Who is logged into this box?
  - From: Robert Brockway <robert@timetraveller.org>

Prev by Date: Re: Who is logged into this box?
Next by Date: Re: Speeding up Debian Boot
Previous by thread: Re: Who is logged into this box?
Next by thread: Re: Who is logged into this box?
Index(es):
- Date
- Thread