[opensuse] errant 'who' behavior
Hi All, This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt? Copied & pasted examples: (note: root has logged into console tty1 after the user has logged into his desktop on tty7, then root has logged in again via shell on the user's desktop.) as user:
carl@linux:~> who carl@linux:~>
carl@linux:~> who -a carl@linux:~>
carl@linux:~> who -m carl@linux:~>
carl@linux:~> who -u carl@linux:~>
as root:
linux:~ # who linux:~ #
linux:~ # who -a linux:~ #
linux:~ # who -m linux:~ #
linux:~ # who -u linux:~ #
Additional info:
linux:~ # which who /usr/bin/who
linux:~ # l /usr/bin/who -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*
linux:~ # file /usr/bin/who /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
All ideas/hints gratefully appreciated and a happy new year to all of you! regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
...
All ideas/hints gratefully appreciated and a happy new year to all of you!
I think you're looking for "last," which produces human-readable reports of the history of logins. The file it uses, /var/log/wtmp, is subject to log rotation (older copies are kept compressed in /var/log) so you don't get unlimited history without some manual intervention to access older parts of the history archived in the compressed wtmp files. The wtmp file also records reboots and crashes: % last reboot reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42) reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08) reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25) reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47) reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36) reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58) wtmp begins Wed Jul 12 15:21:25 2006 If you have a limited complement of authorized users, you can do something like this: % 19761> last |egrep -v 'XYZ|QRS|reboot' wtmp begins Wed Jul 12 15:21:25 2006 Not even a single crash or unwanted visitor!
regards,
Carl
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 10:38, Randall R Schulz wrote: <snipped an *awesome* reply for my 'kit bag'> Thanks a lot Randall, I really appreciate the feedback. I'm booted into a fresh 10.2 right now and 'who' works as expected. The problem is I can't remember how long ago it was I interrupted an actual break-in into my 10.0 system. Someone 'cracked' <roll eyes> the ISP-supplied DSL modem 'Admin' 'Password' hurdle and logged into my box via ssh. (I honestly didn't even know this existed! It was delivered as a 'modem'... the routing functions weren't discussed anywhere in the supplied literature and the default config had the built-in NAT-based firewall turned *off*!) This is when I discovered that 'who' wasn't working correctly and suspected someone was logged in, I immediately physically severed the net connection at the modem and upgraded everything to *really long* passwords plus a very complex router 'Admin' name. I also disabled remote root logins into my box and installed rkhunter. All subsequent scans have been either 'OK' or 'clean'. I never see unusual network activity at the router LEDs or in ntop or netstat, but I haven't been able to restore 'who' to it's former glory and my confidence level in the security of that installation isn't back to normal. So, thanks again for the clues, Randall. Much appreciated! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carl, On Wednesday 03 January 2007 08:51, Carl Hartung wrote:
On Wednesday 03 January 2007 10:38, Randall R Schulz wrote: <snipped an *awesome* reply for my 'kit bag'>
Thanks a lot Randall, I really appreciate the feedback.
I'm booted into a fresh 10.2 right now and 'who' works as expected.
The problem is I can't remember how long ago it was I interrupted an actual break-in into my 10.0 system. Someone 'cracked' <roll eyes> the ISP-supplied DSL modem 'Admin' 'Password' hurdle and logged into my box via ssh. (I honestly didn't even know this existed! It was delivered as a 'modem'... the routing functions weren't discussed anywhere in the supplied literature and the default config had the built-in NAT-based firewall turned *off*!)
Any good router or modem that is smart enough to have an administrative interface should have an option to prevent logging in from the outside (the "wild" Internet) and to accept administrative logins and commands only from the interior side. Unless you really need to do remote administration, you should find and disable the remote administrative access entirely.
This is when I discovered that 'who' wasn't working correctly and suspected someone was logged in, I immediately physically severed the net connection at the modem and upgraded everything to *really long* passwords plus a very complex router 'Admin' name.
The utmp corruption could well have been a deliberate attempt to obscure the intruder's presense.
I also disabled remote root logins into my box and installed rkhunter. All subsequent scans have been either 'OK' or 'clean'.
I never see unusual network activity at the router LEDs or in ntop or netstat, but I haven't been able to restore 'who' to it's former glory and my confidence level in the security of that installation isn't back to normal.
Utmp and wtmp only record successful logins. You can see failed attempts, including ssh attemptws, in /var/log/messages.
So, thanks again for the clues, Randall. Much appreciated!
Pro noblemo.
Carl
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2007-01-03 at 10:27 -0500, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
Copied & pasted examples: (note: root has logged into console tty1 after the user has logged into his desktop on tty7, then root has logged in again via shell on the user's desktop.)
Additional info:
linux:~ # which who /usr/bin/who
linux:~ # l /usr/bin/who -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*
linux:~ # file /usr/bin/who /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
All ideas/hints gratefully appreciated and a happy new year to all of you!
Try the "w" command (without the quotes) and see what it returns. Also type alias to make sure the an alias has not been introduced into the system. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 10:43, Kenneth Schneider wrote:
Try the "w" command (without the quotes) and see what it returns. Also type alias to make sure the an alias has not been introduced into the system.
Thanks for the ideas, Ken, and happy new year! I'll post all the 'forensics' results from everyone's feedback after I've booted back into 10.0 regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
...
All ideas/hints gratefully appreciated and a happy new year to all of you!
My previous answer was for part (a). For part (b) I'd check on /var/run/utmp. That file records current logins. Perhaps the file is missing or damaged. If it's missing, it should get recreated by a reboot. If it's corrupted, perhaps it should be removed and then you should reboot. Actually, a bit of quick Googling suggests that the proper way to correct a corrupted utmp is to copy /dev/null onto it (or otherwise effect its truncation) and not to reboot but merely to log out and in again.
regards,
Carl
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 10:55, Randall R Schulz wrote:
My previous answer was for part (a). For part (b) I'd check on /var/run/utmp. That file records current logins. Perhaps the file is missing or damaged. If it's missing, it should get recreated by a reboot. If it's corrupted, perhaps it should be removed and then you should reboot.
Actually, a bit of quick Googling suggests that the proper way to correct a corrupted utmp is to copy /dev/null onto it (or otherwise effect its truncation) and not to reboot but merely to log out and in again.
Thanks for the addendum, Randall. I've added it to my notes for when I tackle the 'errant who' issue later today. I'm enjoying exploring 10.2 right now! :-) regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 10:27, Carl Hartung wrote: <snipped; I'm replying to all who responded to my original post> Hi All, I'd forgotten I'd turned off sshd and apache2 immediately after the incident and only begun firing them up when needed. There must be an unknown mechanism affording access to the system. :-( With respect to today's tests: First, after booting back into 10.0, 'who' was working correctly. (!?) After seeing this, I didn't bother checking the status of /var/run/utmp Remote administration was still disabled in the router, it's firewall settings were still where I'd set them and my very long & complex 'Admin' names and password were still intact. I'm beginning to suspect some kind of "inside attack" is being routed through the M$ box that is sharing this connection. I saw nothing unusual with "last", "w" or "alias". The md5sum of my /usr/bin/who matched the one posted by Ken Schneider so it appears to be the 'stock' binary (thanks, Ken!) Have I missed anything? I do appreciate all the great feedback today, so thanks again! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2007-01-03 at 20:26 -0500, Carl Hartung wrote:
On Wednesday 03 January 2007 10:27, Carl Hartung wrote: <snipped; I'm replying to all who responded to my original post>
Hi All,
I'd forgotten I'd turned off sshd and apache2 immediately after the incident and only begun firing them up when needed. There must be an unknown mechanism affording access to the system. :-(
If you even slightly suspect some problem I highly recommend saving any data you can and doing a fresh install on this machine. Better to be safe then sorry.
With respect to today's tests:
First, after booting back into 10.0, 'who' was working correctly. (!?) After seeing this, I didn't bother checking the status of /var/run/utmp
Remote administration was still disabled in the router, it's firewall settings were still where I'd set them and my very long & complex 'Admin' names and password were still intact. I'm beginning to suspect some kind of "inside attack" is being routed through the M$ box that is sharing this connection.
I saw nothing unusual with "last", "w" or "alias".
If the [u,w]tmp file is corrupt in any way you will get faulty results when using these commands. Perhaps you fixed the problem by either zeroing out the file with "> /var/log/[u,w]tmp" or by deleting it which caused it to be recreated. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 04 January 2007 07:54, Kenneth Schneider wrote:
If you even slightly suspect some problem I highly recommend saving any data you can and doing a fresh install on this machine. Better to be safe then sorry.
Hi Ken, Great minds think alike, eh? :-) I did actually "fix" this problem last night by migrating into the fresh 10.2 installation, deleting my old user directory on the '/home' partition and wiping the 10.0 '/' partition. The move was a bit premature as I'm still setting things up but "safe" is definitely better than "sorry." Thanks again for the feedback & regards. Thanks again also to Dominique and Randall. Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carl Hartung -
Kenneth Schneider -
Randall R Schulz