What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Shell Programming: an Exploit Explained, continued...

        Here's how these commands work.  I [Carolyn] am using one of our Hacker
Wargame computers for the example below so you will get a chance to see how
we find out whether there has been an intruder in my account.

        Netstat is really great because it tells you so much:

Active Internet connections
Proto Recv-Q Send-Q  Local Address    Foreign Address        (state)
tcp        0      0  cryptotek.http   sol7.cs.wisc.edu.33089 FIN_WAIT_2
tcp        0      0  cryptotek.http   sol7.cs.wisc.edu.33088 FIN_WAIT_2
tcp        0     20  cryptotek.ssh    pmd05.rt66.com.1753    ESTABLISHED
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
f05e7f00 dgram       0      0        0 f03dcf14        0 f03dcb14
f05f9200 dgram       0      0        0 f03dcf14        0 f03dcd14
f05e9600 dgram       0      0        0 f03dcf14        0 f03dcd94
f05eba00 dgram       0      0        0 f03dcf14        0        0
f05a9000 dgram       0      0 f05ab680 0 f03ecc94      0 /var/run/log

        This readout tells us is that a guy from the University of Wisconsin is
reading our Web site at http://cryptotek.happyhacker.org, while I am logged
in with an ssh (Secure Shell, which encrypts my communications) connection.

        The commands "w" and "who" only tell you who is actually logged into a
shell account and what they are doing just now. They both identify the same
people, but give somewhat different information on their activities.  Here's
a "w" command readout:

1:05PM  up 2 days, 17:42, 2 users, load averages: 0.00, 0.00, 0.00
USER     TTY FROM              LOGIN@  IDLE WHAT
cryptik  p0  206.206.108.7     1:02PM     -  (pine)
cmeinel  p1  pmd05.rt66.com   12:31PM     - w

        This means Cryptik is in his shell account reading his email using the Pine
program while I (Carolyn) am snooping on him with the "w" command.
 
        If your ISP has logs readable by users, that alias in your .cshrc named
"check" will tell you everyone who has logged into their shell accounts lately:

cmeinel  ttyp0    152.172.76.111   Thu Apr 23 14:25 - 16:30  (02:05)
(snip)
cryptik  ttyp0    206.206.108.7    Thu Apr 23 13:02 - 13:06  (00:04)
mrcurt   ttyp1    152.166.28.22    Thu Apr 23 01:23 - 02:02  (00:38)
(snip)
cryptik  ttyp0    152.167.87.187   Wed Apr 22 19:18 - 19:20  (00:02)
cryptik  ttyp0    152.173.170.182  Wed Apr 22 17:55 - 17:56  (00:00)
root     ttyv0                     Wed Apr 22 17:02 - 17:04  (00:02)
cryptik  ttyp0    152.171.172.203  Wed Apr 22 15:25 - 15:29  (00:03)
protocol ttyp1    152.204.20.98    Wed Apr 22 01:43 - 01:59  (00:16)
cryptik  ttyp0    152.170.244.211  Tue Apr 21 23:41 - 02:28  (02:47)
cmeinel  ttyp1    bofh.foobar.org  Tue Apr 21 22:09 - 22:17  (00:08)
xmyth    ttyp0    152.203.67.27    Tue Apr 21 18:11 - 18:12  (00:00)
(snip)
420smk   ttyp0    152.172.97.237   Tue Apr 21 14:35 - 14:36  (00:01)
root     ttyv0                     Tue Apr 21 14:03 - 14:04  (00:00)
root     ttyp2    152.171.159.158  Tue Apr 21 01:25 - 02:10  (00:45)
cryptik  ttyp1    206.206.108.7    Tue Apr 21 00:24 - 00:25  (00:00)
skullz   ttyp1    152.166.74.235   Mon Apr 20 23:55 - 23:59  (00:04)
skullz   ttyp1    152.166.74.235   Mon Apr 20 23:48 - 23:53  (00:05)
cryptik  ttyp0    152.171.255.221  Mon Apr 20 23:24 - 01:33  (02:08)
cryptik  ttyp0    152.167.139.204  Mon Apr 20 23:16 - 23:16  (00:00)
cmeinel  ttyp1    152.170.227.210  Mon Apr 20 22:17 - 22:19  (00:02)
(snip)

        Aha! Now you know the handles of the folks that have been using ftp or
logging into shell accounts from outside the ISP (Rt66) hosting this
computer lately. 

        That root login with no IP address after it, was done from the console.
That means someone was actually physically at the keyboard to log in.  The
numbers after the other handles are the IP addresses from which they came
in.  For example, "cmeinel  ttyp1    152.170.227.210" means I came in from
an America Online dialup!  (To see what those IP numbers mean, read the
GTMHH "How to Map the Internet" for lots of ways to figure them out.)
Fortunately, I remember telneting into my account from an AOL dialup that 
time, so it's cool.

More shell programming --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.