user tracking

Mark Peoples gascsd@gascairlines.com
Mon, 25 Sep 2000 22:59:58 -0700 

We were going to implement a tool at work to monitor 20-30 various nixen
boxes (DEC, Linux, BSDs [we need more of these <g>]) using some csh
scripting, ssh, and rsync, and, tie it into our bb stuff.

I was reading something and came across this link which does almost the same
task that we want, except with perl.
http://perl.oreilly.com/news/sysadmin_0800.html

The proggies you mentioned below were on the top of our list to monitor.
We've got boxes (tier 3...we're not the admins) that get broken into fairly
often (ASU is a favored target for douche bags, i mean script kiddies).
Usually it's one break-in and we're the admin or they don't get their ether
cable back. EG, last week, a tier-3 system was compromised and flooded an
entire subnet, spiked the router to 100% for a few hours, and pissed off two
TSAs.

-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of
plug@arcticmail.com
Sent: Monday, September 25, 2000 10:59 PM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: Re: user tracking



There are also other items in a standard rootkit.

You could spend time checking ls, ps, top, sum, yada
yada yada, against your pristine versions on read-only
installation media (after booting into single-user
mode on pristine read-only trusted media (and ONLY
running binaries from said media)), but IMHO your best
bet after a breach/rootkit incident is to take off and
nuke the site from orbit.  It's the only way to be sure.

I'm sure there's a HOWTO on cleaning up your system
after a rootkit "upgrade."  Check Google.


D

* On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> Thanks for the responses.  I never know about the command "last".  Very
> cool.  I've already found out most of what I needed.  It was some guy over
> in Russia.  Those punks!  :-)  He left some cool utilz on the hard drive
> for me though.  A login replacement that logs all usernames and passwords
> and a in.ftpd replacement.  That's how he got in in the first place.  I
> was running wu-ftpd 2.5.x... I already know there's tons of documented
> exploits with that verison.  I've just upgraded to wu-ftpd 2.6 so that
> should slow 'em down a little bit.
>
> Don
>
> On 26 Sep 2000, Bill Warner wrote:
>
> > This information is located in the /etc/shadow file.  it is refrenced
> > in the standard unix time thing (seconds sense jan 1 1970) check
> > man shadow for more details
> >
> > Bill Warner
> >
> > > Hey guys.
> > >       At login I get a printout of when the last login occured.  Where
> > > is that info stored?  I want to check out a user on the system but
> > > don't want to log in as them.  One of the machines I work with had the
> > > root account compromised.  It's just running a few mushes so it's not
that
> > > big of deal but I don't want it happening again.  I went through it
with a
> > > fine tooth comb and wouldn't mind it if any of you guys tried to whack
at
> > > it...  Lemme know what you find.  The IP is 205.216.140.17
> > >
> > > Don

________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss