[811] in linux-security and linux-alert archive
Re: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (Edward S. Marshall)
Mon Jun 17 09:50:04 1996
Date: Thu, 13 Jun 1996 18:49:53 -0500 (CDT)
From: "Edward S. Marshall" <emarshal@common.net>
To: "Douglas F. Elznic" <delznic@axess.net>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <2.2.32.19960608172137.00684290@ian.axess.net>
On Sat, 8 Jun 1996, Douglas F. Elznic wrote:
> I am becoming suspicious of some users on my system. I am wondering what is
> the best way to watch what they do or have done.
> What have you (the members of list) done to "babysit" these users.
An old package I used to play with that came with an ancient Slackware
distribution was called "telnetsnoop". I haven't seen it since then, but
it allowed you to monitor everything that the remote user saw and typed.
I'd check into the legalities of running such a thing on your system,
however; it could vary from place to place.
Also, keep an eye on your logs. You'll see failed su attempts there,
along with many other things which might lend a hand to finding out what
they're up to. As well, you can enable logging of some services (wu.ftpd,
for example, allows for very verbose logging) which will give you more
data to operate on.
--
.-----------------------------------------------------------------------------.
| Edward S. Marshall <emarshal@common.net> | CII Technical Administrator, |
| http://www.common.net/~emarshal/ | Vice-President, Common Internet |
| Finger for PGP public key. | Inc, and Linux & LPmud (ab)user. |
`-----------------------------------------------------------------------------'