LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-15-2007, 05:23 PM   #1
CrewXp
Member
 
Registered: Jan 2004
Posts: 83

Rep: Reputation: 15
User kind of smart with linux. How can I monitor him? Also.. virtfs, what is it?


Hey, I have a user on my server who seems to know a whole lot about linux, more than me.

Is there any way I can monitor his shell access, and the commands he uses in it?

Also he seems to have a folder outside his jailed account in /home/virtfs/.

He's the only user in that folder, and it has a lot of binary files in it. Do you know what that is?


-Thanks a lot!
 
Old 05-15-2007, 05:46 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
Post a few names of the files there.
If using bash then look at the file .bash_histroy in the users directory. Look at the end which would show the last commands used.
Does the user have any root priviledges?

Brian
 
Old 05-15-2007, 05:53 PM   #3
CrewXp
Member
 
Registered: Jan 2004
Posts: 83

Original Poster
Rep: Reputation: 15
Quote:
root@server1 [/home/virtfs]# cd vegapnk
root@server1 [/home/virtfs/vegapnk]# ls
./ ../ bin/ checkvirtfs* dev/ etc/ home/ lib/ proc/ tmp/ usr/ var/
root@server1 [/home/virtfs/vegapnk]# cd etc
root@server1 [/home/virtfs/vegapnk/etc]# ls
./ aliases bashrc* DIR_COLORS exim.pl group inputrc ld.so.conf localtime man.config my.cnf pam.d/ profile protocols services sudoers userdomains
../ antivirus.exim cron.deny exim.conf exim.pl.local* host.conf ld.so.cache localdomains lynx.cfg mtab nsswitch.conf passwd profile.d/ resolv.conf shadow termcap vimrc
root@server1 [/home/virtfs/vegapnk/etc]# cd ..
root@server1 [/home/virtfs/vegapnk]# cd home
root@server1 [/home/virtfs/vegapnk/home]# ls
./ ../ vegapnk/
root@server1 [/home/virtfs/vegapnk/home]# cd vegapnk
root@server1 [/home/virtfs/vegapnk/home/vegapnk]# ls
./ ../
Not sure what that all is... most directories in there are empty. Anyways...


He doesn't have root, unless he found out a way to get it himself. I just gave him a jailed shell access in cpanel.

And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?
 
Old 05-15-2007, 07:30 PM   #4
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407

Rep: Reputation: 141Reputation: 141
You might want to report your post and ask a moderator to move it to Linux Security. If you have permissions such that anyone can create a directory in /home, then it's your fault. If not, then you may be hacked. You say that you've got him in a jailed account, but how have you done that? Do a websearch on virtfs to find out what it is. There are plenty of hits.

I don't know enough about security to give you any help. Get it moved to Linux Security and see what the guys over there have to say.
 
Old 05-15-2007, 11:15 PM   #5
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware
Posts: 1,135

Rep: Reputation: 277Reputation: 277Reputation: 277
as far as virtfs:

www.prongs.org/virtfs/

I'm going to guess that your 'suspect' is using virtfs to setup virtual servers - ftp, etc for filesharing, warez, and who knows what else...etc., etc.

As Quakeboy has stated, have the mods move this and let the folks in security advise you as to how to correct this user's behaviour. He obviously has more access than you would like to believe.
 
Old 05-16-2007, 11:08 AM   #6
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Moved to Linux - Security per OP's request.
 
Old 05-16-2007, 12:37 PM   #7
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Blog Entries: 1

Rep: Reputation: 37
I wonder how many hidden folders there are.

Try:

Code:
ls -la
Also maybe run chkrootkit and rkhunter. To get an idea of whether you have been rooted.

Run the tripwire/aide program and compare everything against the last db you made after the last update.

Boot the machine using a livecd and examine the filesystem, specifically for any shareable files if that is what you suspect. File extensions like .avi .mpg .mp3 would be a start.

Code:
find / -iname *.mp3
Post your results back to this thread

I wonder if the guy is a regular here, hence why all the files have been deleted. It would be quite amusing if he read your post then went and deleted everything.

Last edited by v00d00101; 05-16-2007 at 12:39 PM.
 
Old 05-16-2007, 02:44 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Is there any way I can monitor his shell access, and the commands he uses in it? / And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?
To monitor his shell you will need a wrapper around his default shell like Rootsh or Sudosh, or a version of Bash patched (logging) for Honeypot usage. More invasive means of logging can be provided by for instance the GRSecurity kernel patch or SELinux logging. The difference between those two is that GRSecurity can be deployed even without utilising the RBAC rules and still reinforce your setup. To retain his history you can make Rootsh log to Syslog or set the "append-only" flag if the filesystem allows it, in the case of GRSecurity or SELinux they will already log to syslog. (And if, as an effect of that, you need to reinforce syslog you want a remote syslog server). All will work spiffy until he elevates rights and gains root account access, at which point all bets are off.


BTW, the file listing is nice as in the names are meaningful, but it still doesn't *prove anything* without MAC times and ownership details.
 
Old 05-21-2007, 04:12 PM   #9
hackintosh
Member
 
Registered: Dec 2005
Posts: 52

Rep: Reputation: 15
i would like to intro a "bad" tool, TTYSNOOP

you can snoop his tty :P

so, watever character he input also can be capture easily :P
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What kind of user are you? vxc69 General 79 06-11-2007 07:10 PM
Any utility which can monitor SMART on an external Hard drive ? wearetheborg Linux - Hardware 2 01-01-2007 03:29 PM
first time Linux user(kind of..) wh0racle Slackware 9 03-02-2005 04:21 PM
I can't figure out what kind of monitor connector is on my SGI Origin 200 server. Travis86 Linux - Hardware 10 03-03-2004 01:50 PM
3 simple questions for a smart Linux user Dethbysmoke Linux - General 1 03-11-2002 06:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration