LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-21-2014, 12:47 PM   #1
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Rep: Reputation: 0
Log into a UNIX box without a trace?


Hi all,

I have a user who I know logs into my UNIX boxes many times a day but when I check all the log files I only see one or two entries per months! How is it possible? If this user is using WinSCP wouldn't the machine log his login attempts? What about puTTy?

Can someone shed some light on this please?

Thank you all
 
Old 10-21-2014, 01:03 PM   #2
c0d3d
Member
 
Registered: Aug 2012
Posts: 74

Rep: Reputation: 12
Could you post your log files and their locations? That might help.
 
Old 10-21-2014, 03:40 PM   #3
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
I haven't changed the default lications. So let me change my question:

1) Are there ways to log into the machine without leavibg any trace?

2) Will logging into a UNIX box via WinSCP leave an entry in the access log?

3) Can a user leave some of the entries from the log files and leave the rest?

Thanks
 
Old 10-21-2014, 08:32 PM   #4
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, and whatever VMs I happen to be playing with
Posts: 11,651
Blog Entries: 12

Rep: Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894Reputation: 2894
It is indeed possible for a sophisticated intruder to remove most traces of his presence on a computer. See this article for some of the techniques.

Last edited by frankbell; 10-21-2014 at 08:33 PM.
 
Old 10-21-2014, 08:51 PM   #5
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by frankbell View Post
It is indeed possible for a sophisticated intruder to remove most traces of his presence on a computer. See this article for some of the techniques.
Thank you so much, this is great and I have seen this article before. The thing is this article shows how to remove ALL entries from the file, but what I'm facing with is tgat the file has some entries throughout the years, it shows two or three login attempts for each month and the rest of the entries are missing.
Can that user only delete specific lines and leave some there?

Thanks in advance
 
Old 10-22-2014, 07:28 AM   #6
Soadyheid
Senior Member
 
Registered: Aug 2010
Location: Near Edinburgh, Scotland
Distribution: Cinnamon Mint 17.3 and 18 at present.
Posts: 1,192

Rep: Reputation: 204Reputation: 204Reputation: 204
Just curious...
Quote:
I have a user who I know logs into my UNIX boxes many times a day
How do you know he/she logs in many times a day? What evidence have you that suggests this is going on?
Do you know who the culprit is and if so, why can't you ask them how they're doing it? What's being changed on your system? Could there be another explanation?

Sorry, not a very "Linux" reply, but I'm into Jo Nesbo detective stories at the moment and your question sounds interesting from that perspective as well!

Play Bonny!

 
Old 10-22-2014, 07:49 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
It partly depends on what logs you are looking at.

MOST shell level logins get a pseudoterminal for interactive use - these normally show up in utmp/wtmp records.

ssh without a terminal (such as "ssh localhost who" will show) do not, and thus are not recorded.

One way to get an interactive interface without getting recorded in the utmp/wtmp files is shown by "ssh localhost xterm -ut". This depends on the xterm utility to not add a record to the utmp/wtmp files.

scp does not get a terminal, thus does not record a login via utmp/wtmp.

HOWEVER, sshd will record logins in the /var/log/messages file if it is so configured (usually the sshd.conf file in /etc/ssh, check the logging options).
 
Old 10-22-2014, 09:39 AM   #8
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Thanks for your replies. I know for a fact that he logs in at lease two times a day can't see the attempts though.

So WinSCP doesn't leave a log. Will puTTy leave a log which can be viewed by running the lastlog command?
 
Old 10-22-2014, 10:04 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,654

Rep: Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255Reputation: 1255
I think it does - as long as it is using a pseudoterminal. Using it for file transfer however, likely will not.
 
Old 10-22-2014, 11:20 AM   #10
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,131

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Is this a white hat user doing no harm and you're just wanting to learn, or some black hat hacker you're trying to chase down and eradicate? Are you looking for examples of a specific login you think he's using? Could he be using more than one login and you're not checking the others? Point being, don't base your search methods on a faulty assumption. If you're assuming he's only using one login, but he's actually using multiple ones, well, there's your answer. Just an example.
 
Old 10-22-2014, 11:32 AM   #11
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,601
Blog Entries: 25

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Member Response

Hi,

Personally, I would be very concerned with a user that is able to remove trace(s) of their intrusion(s). I suggest that you consider looking at;
Quote:
Linux Security Tools:
List of Linux Security Audit and Hacker Software Tools <- 'It is important for Linux users and System administrators to be aware of the tools hackers employ and the software used to monitor and counter such activity. I actually like to use many of the following tools to test the integrity of my servers.' + Also see the YoLinux Internet Security Tutorial (secure Linux configuration tutorial)
rkhunter <- 'Rootkit Hunter(SlackBuild for 14.1), security monitoring and analyzing tool for POSIX compliant systems.' + 'RKHunter is a scanning tool that scans for rootkits, backdoors, and local exploits by running tests like MD5 hash comparison, known rootkit files, incorrect permissions on binaries, suspect strings in LKM and LKD modules, and hidden files.' + Great tool
Rootkit Hunter: IptabLex, IptabLes <- 'Unspawn's blog showing excellent work for Rootkit Hunter' + 'Useful hints & policy for root kits' + 'If you think you need help then look here' + Or check out Linux - Security Forum

Above links are from Security section of SlackwareŽ-Links. More than just Slackware Links!
Hope this helps.
Have fun & enjoy!
 
Old 10-22-2014, 08:51 PM   #12
tezarin
Member
 
Registered: Nov 2007
Posts: 133

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by haertig View Post
Is this a white hat user doing no harm and you're just wanting to learn, or some black hat hacker you're trying to chase down and eradicate? Are you looking for examples of a specific login you think he's using? Could he be using more than one login and you're not checking the others? Point being, don't base your search methods on a faulty assumption. If you're assuming he's only using one login, but he's actually using multiple ones, well, there's your answer. Just an example.
He is one of the users who only uses the root account, I was asked by the management to report his specific login dates and times. That user is supposed to be checking the main server everyday but the records don't show daily logins but he claims that he did log in everyday.

1) I know he uses winSCP and transfer files to his machine to work on. Will lastlog show those login attempts?
2) How specifically he can login without leaving an entry in the lastlog file? Which software will let him access the files without leaving a login?

Thank you
 
Old 10-22-2014, 09:15 PM   #13
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,353

Rep: Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989Reputation: 1989
Quote:
Originally Posted by tezarin View Post
He is one of the users who only uses the root account, I was asked by the management to report his specific login dates and times. That user is supposed to be checking the main server everyday but the records don't show daily logins but he claims that he did log in everyday.
That doesn't agree with what you originally said:
Quote:
Originally Posted by tezarin
I know for a fact that he logs in at lease two times a day
So which is it? Do you "know for a fact" that he logs in two times a day, or are you taking his word for it?

Since he's just inspecting some files, is it possible that rather than ssh'ing into the server to see the files, he has set up a cron job on your server to scp the files to his machine at regular intervals, so he just inspects them locally? In which case you wouldn't be looking for incoming connections, you'd be looking for outgoing connections.

As far as I know, most distributions are configured to log incoming ssh connections to /var/log/messages or /var/log/secure by default. So unless your system is configured differently, there are two options here:

1) He's not logging in twice a day (so either he's not checking the system, or he's set it up to autonomously send the necessary log files to his own machine at regular intervals).

2) He's deleting entries to "cover his tracks".

What ssh client he's using does not factor into the equation, since it's your system that's accepting the connection and should be logging the entry.

The fact is, since he has root access, he can do literally anything he wants on your system. He can cover his tracks, he can install malware, he can hijack your system for bitcoin mining, he can block access to all other users, he can format the entire system and leave you dead in the water. Anything he wants. Root access should never be granted to anybody you do not trust entirely. The mere existence of this thread and your questions implies that you don't trust his word, which begs the question, why on Earth does he have root access to begin with?

Last edited by suicidaleggroll; 10-22-2014 at 09:25 PM.
 
Old 10-22-2014, 09:18 PM   #14
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,601
Blog Entries: 25

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Member Response

Hi,

Now we get more of the story. Do you have more information that may help us to help you solve this issue(s). You can use 'last | more' to see logins;
Quote:
man last;
last, lastb - show listing of last logged in users

SYNOPSIS
last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [-adFiowx] [name...] [tty...]

DESCRIPTION
Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since
that file was created. Names of users and tty's can be given, in which case last will show only those entries matching the arguments. Names of ttys
can be abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (generated by the quit key, usually con-
trol-\), last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
Please consider reading;
Quote:
FYI: Netiquette is a set of social conventions that facilitate interaction over networks, ranging from Usenet and mailing lists to blogs and forums.

FYI: I suggest that you look at 'How to Ask Questions the Smart Way' so in the future your queries provide information that will aid us in diagnosis of the problem or query.
By providing a good descriptive post then we can be sure to aid you without wasting yours or our time. Instead of gaining information as the thread expands.

Hope this helps.
Have fun & enjoy!
 
Old 10-22-2014, 09:33 PM   #15
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,601
Blog Entries: 25

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Member Response

Hi,

One other thought; look at time stamps on the logs or other files.
suicidaleggroll has a good point. How do you know that this user is logging in twice per day? 'root' should not be shared. <Please note the period.

You will always be open to problems when more than one person has root privileges.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trace of runtime activities in UNIX ankitspy Linux - Newbie 2 03-28-2011 07:48 PM
Trouble transferring files from a Windows box to a UNIX box. BreakTheWindows2008 Linux - Software 4 08-15-2008 10:10 PM
Apache access+log can't trace a particular PC at second times SquallPang Linux - Security 1 12-27-2006 06:58 PM
securing a linux box...how 2 trace the hacking culprit fhameed Linux - Security 15 01-22-2004 07:47 PM
Linux Box crashes with no trace in syslog eDubster Linux - General 2 05-19-2003 04:43 PM


All times are GMT -5. The time now is 05:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration