Evidence of remote login on Linux

minime2k9,

for what it's worth try some of the linux process inquiry commands, perhaps you'll see a process that looks out of place. not sure of your famliarity - I'm learning linux and know of the following process type commands you may want to run on the machine at the terminal

ps - display currently active processes
top - display all running processes
bg - lists stopped or background jobs
fg - brings the nmost recent job to the foreground

I'd suggets trolling some linux forumns - specfic to the distrubution you are working with (sometimes the commands can vary slightly depending on the flavor - OR some commands are available in one distro and not another….)

good luck,

john

oh - one more thing - so my interest in linux is driven from my interest in ethical hacking and penetration testing….and from what I know thus far - you most likely would not see a package installed by someone hacking the machine - the payload would be dropped through an identified vulnerability - either a port or application that hasn't been patched etc. That payload would most likely manifest as a process running in the background……(so cool! ) ) - so check out the packages installed that may open the door - is there an ftp application installed? another remote connection service? Is the machine a webserver? Is there an email application? all of those doors and potentilaly 65,000+ vulnerable point of entries! ….. .mmmm the possibilities! P

john

I'm looking for evidence that a Debian Linux system has been remotely logged into.

I've examined the log files which record log ins and can't see any evidence in there. I've also looked at the gnome/KDE remote login system which I found never to have been used.

I've examined the packages installed and couldn't find any relating to remote login software.

Any other ideas?

linux stores login log in utmp and wtmp, which are in binary format

you may read this

http//en.wikipedia.org/wiki/Utmp

ivan