LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Tracing Intruders connecting to our system in Redhat Linux operating system (https://www.linuxquestions.org/questions/linux-software-2/tracing-intruders-connecting-to-our-system-in-redhat-linux-operating-system-789134/)

vkunasani 02-14-2010 10:23 PM
Tracing Intruders connecting to our system in Redhat Linux operating system
 
Hello Linux Team,

I am working as a employee in a Software Organization.Recently I came to know one of my colleague is just coming and selecting remote desktop option in administration tab when I am moving from my system and watching my activities with out my knowledge.He is just killing my privacy and cheating me.

I kindly request you to let me know,is there any possibility to find the users connected to our system by using VNC/Remote Desktop/TeamViewer in RedHat Linux operating system.If you help me ,I will catch him with proof and submit him to the management.May be mine might not be such a confidential system,I was just worrying the case:If it belongs to a lady or management person or a project person,they will be in trouble.


Please help me in tracing out his illegal activities. Appreciate your help in advance.

--
Thanking You,

Best Regards,
Vamsi Krishna Kunasani
vamsi.kunasani@gmail.com

jstephens84 02-15-2010 12:25 AM
You can find all information about how is on your system by going to a command prompt and typing
Code:
who
Code:
w
or

Code:
finger
this will output information such as who is connected, where they are connected from, what they are doing. Here is some output from my command line.

Code:
bsdtux@bsdtux-laptop ~ $ who
bsdtux  :0          2010-02-14 11:49
bsdtux  pts/0        2010-02-14 11:49 (:0)
bsdtux@bsdtux-laptop ~ $ w
 00:24:16 up 12:36,  2 users,  load average: 0.36, 0.19, 0.13
USER    TTY      FROM              LOGIN@  IDLE  JCPU  PCPU WHAT
bsdtux  :0      -                Sun11  ?xdm?  6:17  0.03s /bin/sh /usr/bin/x-session-manager
bsdtux  pts/0    :0              Sun11  12:35m  0.00s  0.03s /usr/bin/kwrited
bsdtux@bsdtux-laptop ~ $ finger
Login    Name            Tty      Idle  Login Time  Office    Office Phone
bsdtux    Josh Stephens  *:0            Feb 14 11:49
bsdtux    Josh Stephens  pts/0  12:35  Feb 14 11:49 (:0)
bsdtux@bsdtux-laptop ~ $

Simon Bridge 02-15-2010 01:08 AM
vkunasani - welcome to LQ
as jstephens84 said, anyone using VNC etc to access your computer will usually show up as a user on your system. Thus the who command will often tell you about them. don't know if this works with all remote desktop servers - but the particular server will have a way of tracking who is doing what. But with VNC, in linux (iirc) each user gets their own x session.

Usually there is little point finding out who in accessing your system, just close the hole.

jstephens84 02-15-2010 01:13 AM
Quote:
Originally Posted by Simon Bridge (Post 3863969)
vkunasani - welcome to LQ
as jstephens84 said, anyone using VNC etc to access your computer will usually show up as a user on your system. Thus the who command will often tell you about them. don't know if this works with all remote desktop servers - but the particular server will have a way of tracking who is doing what. But with VNC, in linux (iirc) each user gets their own x session.

Usually there is little point finding out who in accessing your system, just close the hole.
I second that. It will probably take more time tracking them down then to just stop the vnc server service.

Simon Bridge 02-15-2010 06:23 AM
Usually a vulnerable service is being run for a reason. Stopping it all the time will not be useful and stopping it once it is discovered running when it shouldn't is a tad late.

From the OP, it looks like someone with temporary physical access to the machine is enabling the service to enable more covert access at leisure.

Restricting who can access by remote is the best bet, though locking the console when you leave the workstation is good discipline. You only have to remember to do this for a few weeks and that person will stop checking. Remote access restricts well through OpenSSH - then only people with an account on your machine can use the remote desktop.

If this is a corporate environment, then OP may not be the administrator. In which case, the security breach needs to be taken up with the admin, not us.

Usually, though, it is unusual to be able to use a remote desktop to spy on the local user. In Linux, the remote user gets their own session = their own separate desktop. Unlike Windows, where they can watch your desktop while you work.


All times are GMT -5. The time now is 08:30 AM.