What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Shell Programming: an Exploit Explained, continued...

        Here's how these commands work.  I [Carolyn] am using one of our Hacker
Wargame computers for the example below so you will get a chance to see how
we find out whether there has been an intruder in my account.

        Netstat is really great because it tells you so much:

Active Internet connections
Proto Recv-Q Send-Q  Local Address    Foreign Address        (state)
tcp        0      0  cryptotek.http   sol7.cs.wisc.edu.33089 FIN_WAIT_2
tcp        0      0  cryptotek.http   sol7.cs.wisc.edu.33088 FIN_WAIT_2
tcp        0     20  cryptotek.ssh    pmd05.rt66.com.1753    ESTABLISHED
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
f05e7f00 dgram       0      0        0 f03dcf14        0 f03dcb14
f05f9200 dgram       0      0        0 f03dcf14        0 f03dcd14
f05e9600 dgram       0      0        0 f03dcf14        0 f03dcd94
f05eba00 dgram       0      0        0 f03dcf14        0        0
f05a9000 dgram       0      0 f05ab680 0 f03ecc94      0 /var/run/log

        This readout tells us is that a guy from the University of Wisconsin is
reading our Web site at http://cryptotek.happyhacker.org, while I am logged
in with an ssh (Secure Shell, which encrypts my communications) connection.

        The commands "w" and "who" only tell you who is actually logged into a
shell account and what they are doing just now. They both identify the same
people, but give somewhat different information on their activities.  Here's
a "w" command readout:

1:05PM  up 2 days, 17:42, 2 users, load averages: 0.00, 0.00, 0.00
USER     TTY FROM              LOGIN@  IDLE WHAT
cryptik  p0     1:02PM     -  (pine)
cmeinel  p1  pmd05.rt66.com   12:31PM     - w

        This means Cryptik is in his shell account reading his email using the Pine
program while I (Carolyn) am snooping on him with the "w" command.
        If your ISP has logs readable by users, that alias in your .cshrc named
"check" will tell you everyone who has logged into their shell accounts lately:

cmeinel  ttyp0   Thu Apr 23 14:25 - 16:30  (02:05)
cryptik  ttyp0    Thu Apr 23 13:02 - 13:06  (00:04)
mrcurt   ttyp1    Thu Apr 23 01:23 - 02:02  (00:38)
cryptik  ttyp0   Wed Apr 22 19:18 - 19:20  (00:02)
cryptik  ttyp0  Wed Apr 22 17:55 - 17:56  (00:00)
root     ttyv0                     Wed Apr 22 17:02 - 17:04  (00:02)
cryptik  ttyp0  Wed Apr 22 15:25 - 15:29  (00:03)
protocol ttyp1    Wed Apr 22 01:43 - 01:59  (00:16)
cryptik  ttyp0  Tue Apr 21 23:41 - 02:28  (02:47)
cmeinel  ttyp1    bofh.foobar.org  Tue Apr 21 22:09 - 22:17  (00:08)
xmyth    ttyp0    Tue Apr 21 18:11 - 18:12  (00:00)
420smk   ttyp0   Tue Apr 21 14:35 - 14:36  (00:01)
root     ttyv0                     Tue Apr 21 14:03 - 14:04  (00:00)
root     ttyp2  Tue Apr 21 01:25 - 02:10  (00:45)
cryptik  ttyp1    Tue Apr 21 00:24 - 00:25  (00:00)
skullz   ttyp1   Mon Apr 20 23:55 - 23:59  (00:04)
skullz   ttyp1   Mon Apr 20 23:48 - 23:53  (00:05)
cryptik  ttyp0  Mon Apr 20 23:24 - 01:33  (02:08)
cryptik  ttyp0  Mon Apr 20 23:16 - 23:16  (00:00)
cmeinel  ttyp1  Mon Apr 20 22:17 - 22:19  (00:02)

        Aha! Now you know the handles of the folks that have been using ftp or
logging into shell accounts from outside the ISP (Rt66) hosting this
computer lately. 

        That root login with no IP address after it, was done from the console.
That means someone was actually physically at the keyboard to log in.  The
numbers after the other handles are the IP addresses from which they came
in.  For example, "cmeinel  ttyp1" means I came in from
an America Online dialup!  (To see what those IP numbers mean, read the
GTMHH "How to Map the Internet" for lots of ways to figure them out.)
Fortunately, I remember telneting into my account from an AOL dialup that 
time, so it's cool.

More shell programming --->>

Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group


Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.