|
Previous | Table of Contents | Next |
ps
Individual users often have better luck with the ps command than they do with commands such as who or users when tracking system utilization. The ps command displays the following information: current process IDs, the associated TTY, owner of the process, execution time, and the actual command being executed. Because ps draws from the kernels process table in generating its report, ps output cannot be altered by simply editing a log file.
The ps command is useful for locating background processes left running by intruders, for locating user processes running on active TTYs for which no UTMP entries exist, and for tracking all activity of given users.
The following sample is a portion of ps output from a BSDI Unix machine:
freeside % ps -uax USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 73 2.1 0.0 1372 1004 ?? S 24Mar95 84:38.60 gated root 0 0.0 0.0 0 0 ?? DLs 24Mar95 0:00.38 (swapper)00 root 1 0.0 0.0 244 116 ?? Is 24Mar95 3:21.42 init root 2 0.0 0.0 0 12 ?? DL 24Mar95 0:03.42 (pagedaemon) root 35 0.0 0.0 208 144 ?? Ss 24Mar95 4:50.63 syslogd root 68 0.0 0.0 72 28 ?? Ss 24Mar95 29:03.42 update root 70 0.0 0.0 280 160 ?? Is 24Mar95 0:17.43 cron root 76 0.0 0.0 10660 10612 ?? Ss 24Mar95 46:10.08 named root 80 0.0 0.0 236 52 ?? IWs 24Mar95 0:00.10 lpd root 83 0.0 0.0 172 96 ?? Is 24Mar95 0:00.08 portmap root 88 0.0 0.0 244 180 ?? Is 24Mar95 0:00.13 mountd root 90 0.0 0.0 140 16 ?? IWs 24Mar95 0:00.02 (nfsd) root 99 0.0 0.0 100 16 ?? I 24Mar95 0:00.22 nfsiod 4 root 104 0.0 0.0 216 112 ?? Ss 24Mar95 1:46.96 inetd root 2106 0.0 0.0 240 172 p0- I 25Mar95 1:18.26 freeside root 5747 0.0 0.0 520 220 ?? Is Wed12PM 2:07.20 (sendmail) phrack 14289 0.0 0.0 240 176 b1- I Wed06PM 0:00.15 archie phrack 22626 0.0 0.0 752 712 p4 Ss+ 12:30PM 0:42.35 irc phrack 26785 0.6 0.0 584 464 p4 Ss 11:57PM 0:00.40 -tcsh phrack 26793 0.0 0.0 320 224 p4 R+ 11:57PM 0:00.06 ps -uax freeside %
The preceding example shows several root processes running as background processes. The sample also shows several current processes running that the phrack account owns. One process in particular14289might warrant a closer look. It appears to be an archie request that has been running for longer than normal, and is on a different TTY than the phrack account is currently logged in on. This discrepancy could be the result of a process that did not exit properly, but it also could be a malicious utility running in the background, a utility compiled with an inconspicuous name to avoid suspicion.
netstat
The netstat command displays useful information regarding the state of the TCP/IP network traffic running to and from the host computer. In some instances, netstat is the only monitoring tool the administrator has to locate intruders.
In the active connections portion of netstat output a list of addresses corresponding to open incoming connections is given. Even if an intruder has removed himself from UTMP or other logs, his incoming connection might still be visible through netstat.
The following sample is a portion of netstat output on a BSDI Unix machine:
freeside% netstat Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 freeside.1581 bbs.sdd8.nanaimo.smtp ESTABLISHED tcp 0 0 freeside.1580 avarice.mrrr.lut.smtp ESTABLISHED tcp 0 0 freeside.http slip09.1125 TIME_WAIT tcp 0 6 freeside.1579 tibal.supernet..smtp ESTABLISHED tcp 0 0 freeside.http slip0.1124 TIME_WAIT tcp 0 0 freeside.http slip0.1123 TIME_WAIT tcp 0 0 freeside.http slip0.1122 TIME_WAIT tcp 0 0 freeside.1576 vangogh.rtppc.ep.smtp TIME_WAIT tcp 0 0 freeside.http slip0.1121 TIME_WAIT tcp 0 0 freeside.http slip0.1120 TIME_WAIT tcp 0 468 freeside.telnet phrack.1032 ESTABLISHED tcp 0 0 freeside.1572 vulcan.cblink.co.smtp TIME_WAIT tcp 0 0 freeside.1568 dewey.cs.texas.e.6667 ESTABLISHED tcp 0 0 freeside.1493 zilla.nntp ESTABLISHED tcp 0 0 freeside.4897 yod.texas.net.6667 ESTABLISHED tcp 0 4096 freeside.http cicaa2-5.dial.1246 LAST_ACK tcp 0 3584 freeside.http cicaa2-5.dial.1245 LAST_ACK tcp 0 1627 freeside.http cicaa2-5.dial.1241 LAST_ACK tcp 0 3584 freeside.http cicaa2-5.dial.1237 LAST_ACK tcp 0 3584 freeside.http p.cincinnati.1327 LAST_ACK tcp 0 1 freeside.telnet pcnet.utsa.ed.16014 CLOSING udp 0 0 loopback.domain *.* udp 0 0 freeside.domain *.* udp 0 0 freeside.1042 raw.2049 udp 0 0 freeside.1039 bull.2049 udp 0 0 freeside.1036 zilla.2049
As seen in the preceding output, the full hostname information might not be displayed in the foreign address field due to length restrictions, but it is often more than enough to determine the true address. The local domain, for example, has incoming telnet sessions from pcnet.utsa.edu and from the phrack host. If no users are known from pcnet.utsa.edu, then connections from the host might be a good indicator of possible intruder activity.
Ethernet Sniffers
An ethernet sniffer is a program that logs all activity over the local ethernet segment. Some Unix versions might include sniffing utilities, like tcpdump or snoop, but utilities such as these are available on the Internet as well.
Ethernet sniffer programs are priceless for debugging network problems such as broadcast storms, or for locating the source of problem output; but in the wrong hands they can be deadly. Because the purpose of the program is to intercept and view (or log) all packets on the network, many intruders run these utilities to intercept username and password information as it passes across the network.
Administrators who use these tools should take precautions to ensure that normal users cannot access them. Administrators also might want to check periodically for any indication that an intruder has started his own ethernet sniffer; an administrator can do so by looking to see if any of the machines ethernet interfaces are running in promiscuous mode.
Previous | Table of Contents | Next |