Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-15-2007, 05:23 PM
|
#1
|
Member
Registered: Jan 2004
Posts: 83
Rep:
|
User kind of smart with linux. How can I monitor him? Also.. virtfs, what is it?
Hey, I have a user on my server who seems to know a whole lot about linux, more than me.
Is there any way I can monitor his shell access, and the commands he uses in it?
Also he seems to have a folder outside his jailed account in /home/virtfs/.
He's the only user in that folder, and it has a lot of binary files in it. Do you know what that is?
-Thanks a lot!
|
|
|
05-15-2007, 05:46 PM
|
#2
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
Post a few names of the files there.
If using bash then look at the file .bash_histroy in the users directory. Look at the end which would show the last commands used.
Does the user have any root priviledges?
Brian
|
|
|
05-15-2007, 05:53 PM
|
#3
|
Member
Registered: Jan 2004
Posts: 83
Original Poster
Rep:
|
Quote:
root@server1 [/home/virtfs]# cd vegapnk
root@server1 [/home/virtfs/vegapnk]# ls
./ ../ bin/ checkvirtfs* dev/ etc/ home/ lib/ proc/ tmp/ usr/ var/
root@server1 [/home/virtfs/vegapnk]# cd etc
root@server1 [/home/virtfs/vegapnk/etc]# ls
./ aliases bashrc* DIR_COLORS exim.pl group inputrc ld.so.conf localtime man.config my.cnf pam.d/ profile protocols services sudoers userdomains
../ antivirus.exim cron.deny exim.conf exim.pl.local* host.conf ld.so.cache localdomains lynx.cfg mtab nsswitch.conf passwd profile.d/ resolv.conf shadow termcap vimrc
root@server1 [/home/virtfs/vegapnk/etc]# cd ..
root@server1 [/home/virtfs/vegapnk]# cd home
root@server1 [/home/virtfs/vegapnk/home]# ls
./ ../ vegapnk/
root@server1 [/home/virtfs/vegapnk/home]# cd vegapnk
root@server1 [/home/virtfs/vegapnk/home/vegapnk]# ls
./ ../
|
Not sure what that all is... most directories in there are empty. Anyways...
He doesn't have root, unless he found out a way to get it himself. I just gave him a jailed shell access in cpanel.
And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?
|
|
|
05-15-2007, 07:30 PM
|
#4
|
Senior Member
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407
Rep:
|
You might want to report your post and ask a moderator to move it to Linux Security. If you have permissions such that anyone can create a directory in /home, then it's your fault. If not, then you may be hacked. You say that you've got him in a jailed account, but how have you done that? Do a websearch on virtfs to find out what it is. There are plenty of hits.
I don't know enough about security to give you any help. Get it moved to Linux Security and see what the guys over there have to say.
|
|
|
05-15-2007, 11:15 PM
|
#5
|
Senior Member
Registered: Dec 2005
Distribution: Slackware
Posts: 1,135
|
as far as virtfs:
www.prongs.org/virtfs/
I'm going to guess that your 'suspect' is using virtfs to setup virtual servers - ftp, etc for filesharing, warez, and who knows what else...etc., etc.
As Quakeboy has stated, have the mods move this and let the folks in security advise you as to how to correct this user's behaviour. He obviously has more access than you would like to believe.
|
|
|
05-16-2007, 11:08 AM
|
#6
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Moved to Linux - Security per OP's request.
|
|
|
05-16-2007, 12:37 PM
|
#7
|
Member
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Rep:
|
I wonder how many hidden folders there are.
Try:
Also maybe run chkrootkit and rkhunter. To get an idea of whether you have been rooted.
Run the tripwire/aide program and compare everything against the last db you made after the last update.
Boot the machine using a livecd and examine the filesystem, specifically for any shareable files if that is what you suspect. File extensions like .avi .mpg .mp3 would be a start.
Code:
find / -iname *.mp3
Post your results back to this thread
I wonder if the guy is a regular here, hence why all the files have been deleted. It would be quite amusing if he read your post then went and deleted everything.
Last edited by v00d00101; 05-16-2007 at 12:39 PM.
|
|
|
05-16-2007, 02:44 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Is there any way I can monitor his shell access, and the commands he uses in it? / And i checked the bash_history. Thanks. But it seems like he deleted the days before today. Is there any way to prevent deletion of his history?
|
To monitor his shell you will need a wrapper around his default shell like Rootsh or Sudosh, or a version of Bash patched (logging) for Honeypot usage. More invasive means of logging can be provided by for instance the GRSecurity kernel patch or SELinux logging. The difference between those two is that GRSecurity can be deployed even without utilising the RBAC rules and still reinforce your setup. To retain his history you can make Rootsh log to Syslog or set the "append-only" flag if the filesystem allows it, in the case of GRSecurity or SELinux they will already log to syslog. (And if, as an effect of that, you need to reinforce syslog you want a remote syslog server). All will work spiffy until he elevates rights and gains root account access, at which point all bets are off.
BTW, the file listing is nice as in the names are meaningful, but it still doesn't *prove anything* without MAC times and ownership details.
|
|
|
05-21-2007, 04:12 PM
|
#9
|
Member
Registered: Dec 2005
Posts: 52
Rep:
|
i would like to intro a "bad" tool, TTYSNOOP
you can snoop his tty :P
so, watever character he input also can be capture easily :P
|
|
|
All times are GMT -5. The time now is 12:56 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|