Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Originally posted by masand to see the tracks of any hacker u need to keep a tab on the utmp wtmp files
This is not accurate. utmp and wtmp are written to by programs like, login, and other processes that use a login facility. Not all exploits are going to create an entry in these files. In addition, a user account with the appropriate access can "clean" these files. If you are simply waiting around for "hacker" (or some other equally recognizable username) to show up in your last output then you're probably going to miss them.
Originally posted by SocialEngineer Yeah. I got tired of correcting everybody on the difference between a hacker and cracker, so I just let them live in ignorance (since they forget it 5 seconds later anyway).
Nice to hear that, please refer to RFC1392 while doing so.
other than these i think
u cannot see out for any tracks in the system
yes,, they can be cleaned and which erase the tracks of the hacker who had login in the machine,so if this happens they cannot be tracked
i do not think we have any other file to check out for login records
I think you're missing the point. A person who is breaking into a system is not always going to use a method that creates wtmp entries for you to see in last output. You need to rely on other methods besides watching two files. Other methods for detecting an intrusion include log entries, unusual files (ie rootkits), suddenly appearing processes or binaries, modified config files or binaries, etc. If your only method for detecting an intrusion is watching wtmp, then your chances of discovering an attact are severely impaired.
looking out utmp/wtmp
happens to be the most classical way for looking out for hackers,it is true that we cannot entirely rely upon these,but the truth is we cannot be always sure after all the nethods we apply are sufficient to tracks hackers
also maybe we may catch out some one using these files also!
i think more on these can be tripwire,chkrootkit.org
i was just mentioned one way to check for the hackers
there are better ways also i agree on that....
If you're hit by a guy or girl that really knows what he/she's doing, nothing but an integrity db
kept on non-removable media can help you.
Logfiles could be modified/erased, kernel backdoored, etc...
In other words, you can't trust your system anymore.
Checking for file alteration is really something you should have done before your systems security has been compromised. Once someone has cracked your system and modifed/installed various files, it's entirely possible for them to access your machine at will without modifying any further files. You should always install something like tripwire, samhain,afick, etc immediately after installing and configuring your sysem, not after you believe someone has broken in.
You haven't really mentioned why you think the system has been compromised in the first place. Could you give us some specifics? Without much to go on, on a Redhat system (actually on any RPM system, you can verify the integrity of the packages by doing rpm -Va. Test for the presence of a rootkit by downloading and running chkrootkit and/or rootkit hunter. Check for abnormal SUID root files. Check /etc/passwd for new users or users other than root with a UID of 0. If that still doesn't turn up anything and you're are fairly convinced that it's been cracked, download a "Live" CD-rom based distro like Knoppix-STD or FIRE. Boot the system with the Live CD and mount the compromised file-system read-only. You can then look around the file system without worrying that anything has been hidden by a rootkit.
As a note about utmp/wtmp, this is a fairly in-effective way to identify intrusion, esp if used as your only means. Having a shell bound to a listening port or even a backdoored daemon can entirely bypass logging (as has been pointed out multiple times already). In fact, I've seen more intruders identified by the fact that wtmp had been modified or deleted entirely than by finding anomalous login entries there. That being said, I certainly would check it, however I wouldn't have much confidence in a clean utmp/wtmp.
In fact the system hanged at "INIT:Version 2.84 booting", booting from cd in rescue mode showed 2 new users named "hack" and "http" connected one day before the hangup with foreign IP address (who -u wtmp). In addition, the home directory of user hack contains a directory called "selena" which houses files like : assl, oops, pscan2, ssl, sslex, sslx, ssx, su, runer, etc ...