AW: [suse-security] Log/Audit all user commands
Hi Ricardo,
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that? If he didn't disable it or uses another shell, you can have a look at his ~/.bash_history. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
Thanks for your answer. Well, it's a good idea, but I think it's too easey to discover it, delete or modify the file... --- Ulrich Roth <Roth@impact.de> escribió: > Hi Ricardo,
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that? If he didn't disable it or uses another shell, you can have a look at his ~/.bash_history. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
------------ Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar
Dear friends, I followed this discussion a little bit, and here's my 2 cents: bash_history logs only commands one typed in bash. What if he changes to tcsh or whatever else? "Whatever else" includes also graphical helpers, like konqueror or nautilus that give you a lot of freedom to run or modify any files, while you can't log any actions... and tty sniffer won't help either. I agree with the statement that you don't have to let any intruder play with your machine, since it may well be that he HAS already installed sniffers (tty or network) and stuff like that, so any action you take now will be well known to him. So better really unplug the network, shut off the machine, boot from CD (if you'd like to trace back changes he made to your system), and reinstall... Good luck, Eduard __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
It's OK that he plays with the network. I am using two net's and that one he's using isn't important. This can help me to see what he is trying to do, what a hacker does, etc. and more important how to act and correct. So, this is just a "demo" for me. It's real, but I can see that as a demo. So, if you want to help and participate (I give you all the info he is doing)... Thanks again, Ricardo -----Original Message----- From: Eduard Avetisyan [mailto:dich_ed@yahoo.com] Sent: Viernes, 30 de Mayo de 2003 06:34 To: Ricardo Toma; Ulrich Roth; suse-security@suse.com Subject: Re: AW: [suse-security] Log/Audit all user commands Dear friends, I followed this discussion a little bit, and here's my 2 cents: bash_history logs only commands one typed in bash. What if he changes to tcsh or whatever else? "Whatever else" includes also graphical helpers, like konqueror or nautilus that give you a lot of freedom to run or modify any files, while you can't log any actions... and tty sniffer won't help either. I agree with the statement that you don't have to let any intruder play with your machine, since it may well be that he HAS already installed sniffers (tty or network) and stuff like that, so any action you take now will be well known to him. So better really unplug the network, shut off the machine, boot from CD (if you'd like to trace back changes he made to your system), and reinstall... Good luck, Eduard __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Eduard Avetisyan [mailto:dich_ed@yahoo.com] Sent: Viernes, 30 de Mayo de 2003 06:34 To: Ricardo Toma; Ulrich Roth; suse-security@suse.com Subject: Re: AW: [suse-security] Log/Audit all user commands
Dear friends,
I followed this discussion a little bit, and here's my 2 cents:
bash_history logs only commands one typed in bash. What if he changes to tcsh or whatever else? "Whatever else" includes also graphical helpers, like konqueror or nautilus that give you a lot of freedom to run or modify any files, while you can't log any actions... and tty sniffer won't help either.
I agree with the statement that you don't have to let any intruder play with your machine, since it may well be that he HAS already installed sniffers (tty or network) and stuff like that, so any action you take now will be well known to him. So better really unplug the network, shut off the machine, boot from CD (if you'd like to trace back changes he made to your system), and reinstall...
Good luck, Eduard
__________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
On Fri, 30 May 2003, Ricardo wrote:
It's OK that he plays with the network. I am using two net's and that one he's using isn't important. This can help me to see what he is trying to do, what a hacker does, etc. and more important how to act and correct. So, this is just a "demo" for me. It's real, but I can see that as a demo. So, if you want to help and participate (I give you all the info he is doing)... Thanks again,
Ricardo
IMO, it's never OK that unauthorized users "play with the network." They might be setting up a grand DOS that when the FBI tracks down, is originating with your server, and _you_ may spend time in the pokey. It would be much more beneficial to unplug the network and reinstall the OS and all security updates. If you really want to know how a cracker works, you might want to try a legally cracking into systems: http://www.happyhacker.org/wargame/index.shtml - -- Registered Linux user #304026. "lynx -source http://www.rallycentral.us/~linux/jharris.asc | gpg --import" or "gpg --keyserver pgp.mit.edu --recv-key BD23A31E" Key fingerprint = FB8C 3210 8DE1 78F4 6505 5918 0C34 BE94 BD23 A31E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE+13nqDDS+lL0jox4RAhf9AJ9s8OJ3Jx3zD8yt9bD8SJzzxWntMgCfc7Yd 48DphL1rAaZK+Y6IP+VSfBw= =7vyr -----END PGP SIGNATURE-----
On Wednesday 28 May 2003 09:34, Ulrich Roth wrote:
Hi Ricardo,
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that?
If he didn't disable it or uses another shell, you can have a look at his ~/.bash_history.
I believe I've seen a patch for bash somewhere to send all commands to syslogd. If you can't find it, it should not be difficult to find the place in the sources where the logging to '~/.bash_history' is done and add a few lines of code to log it to a syslog facility. You can send all syslog messages to a remote host, which you should lock down very tight. As someone else noted, remove all shells except this patched version of bash. Regards, Cees.
participants (6)
-
Cees van de Griend
-
Eduard Avetisyan
-
Jeff Harris
-
Ricardo
-
Ricardo Toma
-
Ulrich Roth