We were going to implement a tool at work to monitor 20-30 various nixen boxes (DEC, Linux, BSDs [we need more of these ]) using some csh scripting, ssh, and rsync, and, tie it into our bb stuff. I was reading something and came across this link which does almost the same task that we want, except with perl. http://perl.oreilly.com/news/sysadmin_0800.html The proggies you mentioned below were on the top of our list to monitor. We've got boxes (tier 3...we're not the admins) that get broken into fairly often (ASU is a favored target for douche bags, i mean script kiddies). Usually it's one break-in and we're the admin or they don't get their ether cable back. EG, last week, a tier-3 system was compromised and flooded an entire subnet, spiked the router to 100% for a few hours, and pissed off two TSAs. -----Original Message----- From: plug-discuss-admin@lists.PLUG.phoenix.az.us [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of plug@arcticmail.com Sent: Monday, September 25, 2000 10:59 PM To: plug-discuss@lists.PLUG.phoenix.az.us Subject: Re: user tracking There are also other items in a standard rootkit. You could spend time checking ls, ps, top, sum, yada yada yada, against your pristine versions on read-only installation media (after booting into single-user mode on pristine read-only trusted media (and ONLY running binaries from said media)), but IMHO your best bet after a breach/rootkit incident is to take off and nuke the site from orbit. It's the only way to be sure. I'm sure there's a HOWTO on cleaning up your system after a rootkit "upgrade." Check Google. D * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote: > Thanks for the responses. I never know about the command "last". Very > cool. I've already found out most of what I needed. It was some guy over > in Russia. Those punks! :-) He left some cool utilz on the hard drive > for me though. A login replacement that logs all usernames and passwords > and a in.ftpd replacement. That's how he got in in the first place. I > was running wu-ftpd 2.5.x... I already know there's tons of documented > exploits with that verison. I've just upgraded to wu-ftpd 2.6 so that > should slow 'em down a little bit. > > Don > > On 26 Sep 2000, Bill Warner wrote: > > > This information is located in the /etc/shadow file. it is refrenced > > in the standard unix time thing (seconds sense jan 1 1970) check > > man shadow for more details > > > > Bill Warner > > > > > Hey guys. > > > At login I get a printout of when the last login occured. Where > > > is that info stored? I want to check out a user on the system but > > > don't want to log in as them. One of the machines I work with had the > > > root account compromised. It's just running a few mushes so it's not that > > > big of deal but I don't want it happening again. I went through it with a > > > fine tooth comb and wouldn't mind it if any of you guys tried to whack at > > > it... Lemme know what you find. The IP is 205.216.140.17 > > > > > > Don ________________________________________________ See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss