User kind of smart with linux. How can I monitor him? Also.. virtfs, what is it?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
Post a few names of the files there.
If using bash then look at the file .bash_histroy in the users directory. Look at the end which would show the last commands used.
Does the user have any root priviledges?
You might want to report your post and ask a moderator to move it to Linux Security. If you have permissions such that anyone can create a directory in /home, then it's your fault. If not, then you may be hacked. You say that you've got him in a jailed account, but how have you done that? Do a websearch on virtfs to find out what it is. There are plenty of hits.
I don't know enough about security to give you any help. Get it moved to Linux Security and see what the guys over there have to say.
I'm going to guess that your 'suspect' is using virtfs to setup virtual servers - ftp, etc for filesharing, warez, and who knows what else...etc., etc.
As Quakeboy has stated, have the mods move this and let the folks in security advise you as to how to correct this user's behaviour. He obviously has more access than you would like to believe.
Also maybe run chkrootkit and rkhunter. To get an idea of whether you have been rooted.
Run the tripwire/aide program and compare everything against the last db you made after the last update.
Boot the machine using a livecd and examine the filesystem, specifically for any shareable files if that is what you suspect. File extensions like .avi .mpg .mp3 would be a start.
Code:
find / -iname *.mp3
Post your results back to this thread
I wonder if the guy is a regular here, hence why all the files have been deleted. It would be quite amusing if he read your post then went and deleted everything.
Is there any way I can monitor his shell access, and the commands he uses in it? / And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?
To monitor his shell you will need a wrapper around his default shell like Rootsh or Sudosh, or a version of Bash patched (logging) for Honeypot usage. More invasive means of logging can be provided by for instance the GRSecurity kernel patch or SELinux logging. The difference between those two is that GRSecurity can be deployed even without utilising the RBAC rules and still reinforce your setup. To retain his history you can make Rootsh log to Syslog or set the "append-only" flag if the filesystem allows it, in the case of GRSecurity or SELinux they will already log to syslog. (And if, as an effect of that, you need to reinforce syslog you want a remote syslog server). All will work spiffy until he elevates rights and gains root account access, at which point all bets are off.
BTW, the file listing is nice as in the names are meaningful, but it still doesn't *prove anything* without MAC times and ownership details.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.