±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 32±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
linux stores login log in utmp and wtmp, which are in binary format
you may read this
en.wikipedia.org/wiki/Utmp
ivan
Evidence of remote login on Linux
Evidence of remote login on Linux
Posted: Tue May 08, 2012 3:34 am
I'm looking for evidence that a Debian Linux system has been remotely logged into.
I've examined the log files which record log ins and can't see any evidence in there. I've also looked at the gnome/KDE remote login system which I found never to have been used.
I've examined the packages installed and couldn't find any relating to remote login software.
Any other ideas?
I've examined the log files which record log ins and can't see any evidence in there. I've also looked at the gnome/KDE remote login system which I found never to have been used.
I've examined the packages installed and couldn't find any relating to remote login software.
Any other ideas?
-
minime2k9 - Senior Member
Re: Evidence of remote login on Linux
Posted: Tue May 08, 2012 10:27 am
minime2k9,
for what it's worth try some of the linux process inquiry commands, perhaps you'll see a process that looks out of place. not sure of your famliarity - I'm learning linux and know of the following process type commands you may want to run on the machine at the terminal:
ps - display currently active processes
top - display all running processes
bg - lists stopped or background jobs
fg - brings the nmost recent job to the foreground
I'd suggets trolling some linux forumns - specfic to the distrubution you are working with (sometimes the commands can vary slightly depending on the flavor - OR some commands are available in one distro and not another....)
good luck,
john
for what it's worth try some of the linux process inquiry commands, perhaps you'll see a process that looks out of place. not sure of your famliarity - I'm learning linux and know of the following process type commands you may want to run on the machine at the terminal:
ps - display currently active processes
top - display all running processes
bg - lists stopped or background jobs
fg - brings the nmost recent job to the foreground
I'd suggets trolling some linux forumns - specfic to the distrubution you are working with (sometimes the commands can vary slightly depending on the flavor - OR some commands are available in one distro and not another....)
good luck,
john
-
jfk92 - Member
Re: Evidence of remote login on Linux
Posted: Tue May 08, 2012 10:30 am
oh - one more thing - so my interest in linux is driven from my interest in ethical hacking and penetration testing....and from what I know thus far - you most likely would not see a package installed by someone hacking the machine - the payload would be dropped through an identified vulnerability - either a port or application that hasn't been patched etc. That payload would most likely manifest as a process running in the background......(so cool! 
) - so check out the packages installed that may open the door - is there an ftp application installed? another remote connection service? Is the machine a webserver? Is there an email application? all of those doors and potentilaly 65,000+ vulnerable point of entries! ..... .mmmm the possibilities! 
john
) - so check out the packages installed that may open the door - is there an ftp application installed? another remote connection service? Is the machine a webserver? Is there an email application? all of those doors and potentilaly 65,000+ vulnerable point of entries! ..... .mmmm the possibilities! john
-
jfk92 - Member
Re: Evidence of remote login on Linux
Posted: Wed May 09, 2012 1:21 am
- minime2k9I'm looking for evidence that a Debian Linux system has been remotely logged into.
I've examined the log files which record log ins and can't see any evidence in there. I've also looked at the gnome/KDE remote login system which I found never to have been used.
I've examined the packages installed and couldn't find any relating to remote login software.
Any other ideas?
linux stores login log in utmp and wtmp, which are in binary format
you may read this
en.wikipedia.org/wiki/Utmp
ivan
-
mansiu - Member