Shell Programming:
an Exploit Explained, continued...
Here's how these commands work. I [Carolyn] am using one of our Hacker
Wargame computers for the example below so you will get a chance to see how
we find out whether there has been an intruder in my account.
Netstat is really great because it tells you so much:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33089 FIN_WAIT_2
tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33088 FIN_WAIT_2
tcp 0 20 cryptotek.ssh pmd05.rt66.com.1753 ESTABLISHED
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
f05e7f00 dgram 0 0 0 f03dcf14 0 f03dcb14
f05f9200 dgram 0 0 0 f03dcf14 0 f03dcd14
f05e9600 dgram 0 0 0 f03dcf14 0 f03dcd94
f05eba00 dgram 0 0 0 f03dcf14 0 0
f05a9000 dgram 0 0 f05ab680 0 f03ecc94 0 /var/run/log
This readout tells us is that a guy from the University of Wisconsin is
reading our Web site at http://cryptotek.happyhacker.org, while I am logged
in with an ssh (Secure Shell, which encrypts my communications) connection.
The commands "w" and "who" only tell you who is actually logged into a
shell account and what they are doing just now. They both identify the same
people, but give somewhat different information on their activities. Here's
a "w" command readout:
1:05PM up 2 days, 17:42, 2 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
cryptik p0 206.206.108.7 1:02PM - (pine)
cmeinel p1 pmd05.rt66.com 12:31PM - w
This means Cryptik is in his shell account reading his email using the Pine
program while I (Carolyn) am snooping on him with the "w" command.
If your ISP has logs readable by users, that alias in your .cshrc named
"check" will tell you everyone who has logged into their shell accounts lately:
cmeinel ttyp0 152.172.76.111 Thu Apr 23 14:25 - 16:30 (02:05)
(snip)
cryptik ttyp0 206.206.108.7 Thu Apr 23 13:02 - 13:06 (00:04)
mrcurt ttyp1 152.166.28.22 Thu Apr 23 01:23 - 02:02 (00:38)
(snip)
cryptik ttyp0 152.167.87.187 Wed Apr 22 19:18 - 19:20 (00:02)
cryptik ttyp0 152.173.170.182 Wed Apr 22 17:55 - 17:56 (00:00)
root ttyv0 Wed Apr 22 17:02 - 17:04 (00:02)
cryptik ttyp0 152.171.172.203 Wed Apr 22 15:25 - 15:29 (00:03)
protocol ttyp1 152.204.20.98 Wed Apr 22 01:43 - 01:59 (00:16)
cryptik ttyp0 152.170.244.211 Tue Apr 21 23:41 - 02:28 (02:47)
cmeinel ttyp1 bofh.foobar.org Tue Apr 21 22:09 - 22:17 (00:08)
xmyth ttyp0 152.203.67.27 Tue Apr 21 18:11 - 18:12 (00:00)
(snip)
420smk ttyp0 152.172.97.237 Tue Apr 21 14:35 - 14:36 (00:01)
root ttyv0 Tue Apr 21 14:03 - 14:04 (00:00)
root ttyp2 152.171.159.158 Tue Apr 21 01:25 - 02:10 (00:45)
cryptik ttyp1 206.206.108.7 Tue Apr 21 00:24 - 00:25 (00:00)
skullz ttyp1 152.166.74.235 Mon Apr 20 23:55 - 23:59 (00:04)
skullz ttyp1 152.166.74.235 Mon Apr 20 23:48 - 23:53 (00:05)
cryptik ttyp0 152.171.255.221 Mon Apr 20 23:24 - 01:33 (02:08)
cryptik ttyp0 152.167.139.204 Mon Apr 20 23:16 - 23:16 (00:00)
cmeinel ttyp1 152.170.227.210 Mon Apr 20 22:17 - 22:19 (00:02)
(snip)
Aha! Now you know the handles of the folks that have been using ftp or
logging into shell accounts from outside the ISP (Rt66) hosting this
computer lately.
That root login with no IP address after it, was done from the console.
That means someone was actually physically at the keyboard to log in. The
numbers after the other handles are the IP addresses from which they came
in. For example, "cmeinel ttyp1 152.170.227.210" means I came in from
an America Online dialup! (To see what those IP numbers mean, read the
GTMHH "How to Map the Internet" for lots of ways to figure them out.)
Fortunately, I remember telneting into my account from an AOL dialup that
time, so it's cool.
More
shell programming --->>
|
|
Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
|
