Security sweep

You should be aware of the "normal" state of your computer account, so you can notice anything unusual that occurs. Here's how to do a brief "sweep" of your account to make sure that everything is as it should be.

Check your logins

Use the last command, for example with
last my_username | more
to view your last logins to Alcor. Note: if you use just "last" without specifying your username, you'll get everybody's logins to Alcor, and that will be a very, very long listing.

Since we rotate the file that records logins each month, you'll see only your logins since the beginning of the current month. The output will look something like:

anne ttyca Macduf-2.Concord Tue Mar 18 15:58 - 16:01 (00:02)
anne ftp   newsflash.Concor Tue Mar 18 11:32 - 11:32 (00:00)
anne ttyw4 vindemiatrix.con Mon Mar 17 12:58   still logged in
anne ttyt4 falstaff.Concord Fri Mar 14 19:50 - 20:00 (00:10)
anne ttyf7 fp-cserv-120-241 Thu Mar 13 15:38 - 15:39 (00:00)
anne ttyab vindemiatrix.con Tue Mar 11 12:52 - 16:38 (03:46)

The second column indicates whether it was a regular login (begins with "tty"), or a file transfer session ("ftp"), or in some cases an X or a SLIRP session. The third column specifies the hostname; note that Shakespearian names (Macduf, Dromio, Falstaff, etc.) at Concordia refer to our terminal servers. The rest of the information says when you logged in and logged out, and how long you stayed on for.

In the first line of the example above, user "anne" logged in from the dial-in lines (Macduf-2) at 15:58 on March 18, and stayed on for two minutes.

You should check that all of the login (or ftp) sessions listed are yours. Of course you won't necessarily remember every time you logged in, but you should look out for:

Accesses from hosts you don't use; for example, I don't have an account at McGill, so if I saw an access from a computer at McGill, I'd know it could not have been me.
Accesses during a time you were out of town and not using your computer account; for example if you visited family in BC over the Christmas break and did not log in, then any access while you were away could not have been you.
Accesses at unusual times; for example, if you work nine to five and use your account from home in the evening, then an access during working hours would be suspicious. If you're always in bed by 10pm, then an access at 2am would be suspicious.

Check your mail

Are you receiving messages which seem to be for someone else? Don't be confused by the annoying and ubiquitous advertising we all get these days; most of us get that, unless we filter our mail with procmail. But if someone is carrying on an e-mail conversation with someone else using your account, you'll probably find their messages in your mailbox.

Check your files

There should be two kinds of files on your account: those you put there, and "dotfiles", which are placed there by the system or by applications which you use. If there are files which do not fit into either of those categories, someone may have used your account and left their files there.

We now have a program called "filecheck" which will give you an annotated listing of your files, and will help you figure out which ones are legitimate and which are not. Please run it regularly, by typing "!filecheck.more" from the menushell. More information is available in the filecheck manpage.

One file which is particularly sensitive is the .rhosts file; in most cases there should be no such file on your account. If you put one there, be sure you know exactly what you are doing!

Another interesting file is .history, which contains a list of non-menushell commands issued on your account. If the .history file contains commands which you did not emit, then it is likely that someone else has used your account. Conversely, if you have been using shell commands, but your history file is missing or empty, it is possible that an intruder has deleted it to hide her tracks.

Check your processes and cronjobs

The command:
ps x
will show what processes are running on your account. Your output might look something like:

  PID TTY      S           TIME CMD
13774 ??       S        0:00.01 sleep 600
13250 ttyu4    S        0:00.17 -tcsh (tcsh)

In the output above, the user has two processes; the current shell, "tcsh", running on the current terminal, "ttyu4", and a backgrounded job, "sleep", running without a terminal ("??"). You can find out your current terminal by typing the command
tty
which in the above case returned

/dev/ttyu4

If you have only one login session on Alcor, then all of your processes should be attached to the same "terminal", as shown by "tty". If there are any processes there which you are not responsible for, you should kill them. You should also wonder who started them.

A word about starting processes: the system can start a process for you when instructed to do so by batch, at, or crontab. Check that no one else set any cronjobs on your account by using the command:
crontab -l
If you have no cronjobs, you will see "crontab: can't open your crontab file"; if there are cronjobs, you will see a list of them. Similarly, check your "at" and "batch" jobs with the atq command, whose output will be empty if you have no pending jobs, and will look like this if you do:

my_username.866573108.b        Tue Jun 17 14:45:08 1997

What if you find something strange?

If you find evidence of activity on your account which you think may indicate that someone else has been using it, secure your account:

Change your password.
Make sure you have no .rhosts file. (Or, if you really must use one, then check all of the trusted accounts for suspicious activity.) Similarly, if you list your Alcor account in a .rhosts file on another machine, check that remote account as well.
Make sure that there are no processes running which you did not start as part of your current session.
Make sure that there are no "at", "batch", or cron jobs set to run; use atrm to remove at/batch jobs, and edit your crontab file with crontab -e to remove any cron jobs (just delete everything in the file).
Re-read the web page on safe computing and make sure you're observing its suggestions.

Because we have so many Alcor users, we're not going to ask that you report every possible instance of suspicious activity on your account. However, if it happens again after you've secured your account as above, or if you have clear evidence of malicious activity (cronjobs installed, for example), then please change your password, don't touch anything else, and send e-mail immediately to root@alcor.

Copyright, © 2003, Concordia University, (IITS). Author: Anne Bennett Credits: none Maintained by: webdoc@alcor.concordia.ca Last update: 1997/07/31 -- Anne Bennett