Hey, I have a user on my server who seems to know a whole lot about linux, more than me.

Is there any way I can monitor his shell access, and the commands he uses in it?

Also he seems to have a folder outside his jailed account in /home/virtfs/.

He's the only user in that folder, and it has a lot of binary files in it. Do you know what that is?


-Thanks a lot!

Post a few names of the files there.
If using bash then look at the file .bash_histroy in the users directory. Look at the end which would show the last commands used.
Does the user have any root priviledges?

Brian

Not sure what that all is... most directories in there are empty. Anyways...


He doesn't have root, unless he found out a way to get it himself. I just gave him a jailed shell access in cpanel.

And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?

You might want to report your post and ask a moderator to move it to Linux Security. If you have permissions such that anyone can create a directory in /home, then it's your fault. If not, then you may be hacked. You say that you've got him in a jailed account, but how have you done that? Do a websearch on virtfs to find out what it is. There are plenty of hits.

I don't know enough about security to give you any help. Get it moved to Linux Security and see what the guys over there have to say.

as far as virtfs:

www.prongs.org/virtfs/

I'm going to guess that your 'suspect' is using virtfs to setup virtual servers - ftp, etc for filesharing, warez, and who knows what else...etc., etc.

As Quakeboy has stated, have the mods move this and let the folks in security advise you as to how to correct this user's behaviour. He obviously has more access than you would like to believe.

Moved to Linux - Security per OP's request.

I wonder how many hidden folders there are.

Try:

Also maybe run chkrootkit and rkhunter. To get an idea of whether you have been rooted.

Run the tripwire/aide program and compare everything against the last db you made after the last update.

Boot the machine using a livecd and examine the filesystem, specifically for any shareable files if that is what you suspect. File extensions like .avi .mpg .mp3 would be a start.

Post your results back to this thread

I wonder if the guy is a regular here, hence why all the files have been deleted. It would be quite amusing if he read your post then went and deleted everything.

To monitor his shell you will need a wrapper around his default shell like Rootsh or Sudosh, or a version of Bash patched (logging) for Honeypot usage. More invasive means of logging can be provided by for instance the GRSecurity kernel patch or SELinux logging. The difference between those two is that GRSecurity can be deployed even without utilising the RBAC rules and still reinforce your setup. To retain his history you can make Rootsh log to Syslog or set the "append-only" flag if the filesystem allows it, in the case of GRSecurity or SELinux they will already log to syslog. (And if, as an effect of that, you need to reinforce syslog you want a remote syslog server). All will work spiffy until he elevates rights and gains root account access, at which point all bets are off.


BTW, the file listing is nice as in the names are meaningful, but it still doesn't *prove anything* without MAC times and ownership details.

i would like to intro a "bad" tool, TTYSNOOP

you can snoop his tty :P

so, watever character he input also can be capture easily :P