Hello,
How can I spy on a user to see what they are doing when logged in? I have a new sign up, shell access is disabled yet it looks as if the user is logging in their account via ssh shell. I don’t understand how this is happening and I want to spy on this person to see what they are typing in the shell.
I’m not 100% sure this person logging in via ssh shell to their account but when I do "last" I see:
(Sorry for the HTML Code: thing, I don't know how else to stop all the spaces from being deleted in the above for this post)
Note that I edited the user's login to USER_IN_QUESTION and removed all IP numbers to read 000.00 and changed port numbers userID and groupID etc.
Also, something interesting in the logs is this:
messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[888]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
I changed this IP number to all 1s (11.111) to mask the IP number and also to show that it's a different IP number. Note that it looks like the user ssh into the machine then added shell, but when I look in the password file the user is noshell. I don't know if that is a cpanel thing adding the user and group WITH shell=/bin/bash when creating the account or if the person did this. I guess I can check the date of the signup to see if it matches etc.
Also, they uploaded an interesting file called nph-proxy.pl and is in public_html/cgiproxy/nph-proxy.pl Another file uploaded and deleted several times was fd_installer.pl and there is also an interesting file in the home directory called .rnd and I don’t have any idea what that file is. No other account has this file.
I took a look at the cgi proxy script and it seems what it is for is so you can browse the Internet anonymously, however, I wonder what kind of abuse this could possibly be used for.
Anyway, I want to log “everything” this user does on the system. I don’t want to delete the user without knowing for sure the person is up to no good. So far nothing bad has happened but I have to look into this.
Below are some of the logs. I changed the log file for security purposes so I can post this publicly. All IP numbers have been changed to 000 or 111 or 222 and the user ID and machine name have been changed and are in CAPS.
Thanks in advance!
Below are some of the logs in the logs directory when I do a "grep -n USER_IN_QUESTION *"
cron.1:13374:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99999]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
cron.1:13375:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99991]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
exim_mainlog:66406:2006-08-18 12:18:34 SOME_EXIM_ID-0007Az-RF =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx4.SOME_HOST.net
[222.222.22.22]
exim_mainlog:66416:2006-08-18 12:20:17 SOME_EXIM_ID-0007UP-5X =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx1.SOME_HOST.net
[222.222.22.22]
messages.1:92181:Aug 18 12:27:15 MACHINE sshd(pam_unix)[999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:92184:Aug 18 12:27:48 MACHINE sshd(pam_unix)[9999]: session closed for
user USER_IN_QUESTION
messages.1:92188:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected]) [INFO]
USER_IN_QUESTION is now logged in
messages.1:92189:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (82 bytes, 2.05KB/sec)
messages.1:92190:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92191:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (88 bytes, 2.19KB/sec)
messages.1:92192:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
secure.1:60780:Aug 18 12:27:45 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
messages.1:92220:Aug 18 12:31:43 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/fd_installer.pl uploaded (2815 bytes,
35.20KB/sec)
messages.1:92221:Aug 18 12:31:44 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92222:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/nph-proxy.pl uploaded (250288
bytes, 760.75KB/sec)
messages.1:92223:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/README uploaded (39214 bytes,
224.50KB/sec)
How can I spy on a user to see what they are doing when logged in? I have a new sign up, shell access is disabled yet it looks as if the user is logging in their account via ssh shell. I don’t understand how this is happening and I want to spy on this person to see what they are typing in the shell.
I’m not 100% sure this person logging in via ssh shell to their account but when I do "last" I see:
HTML:
USER_IN_QUESTION pts/4 00.000.000.000 Fri Aug 18 19:37 - 19:37 (00:00)
USER_IN_QUESTION pts/4 00.000.000.000 Fri Aug 18 19:37 - 19:37 (00:00)
USER_IN_QUESTION pts/4 00.000.000.000 Fri Aug 18 19:24 - 19:24 (00:00)
root pts/0 xxxxxxxxxxx Fri Aug 18 18:34 still logged in
root pts/0 xxxxxxxxxxx Fri Aug 18 18:23 - 18:34 (00:10)
root pts/4 xxxxxxxxxxx Fri Aug 18 17:28 - 18:23 (00:55)
USER_IN_QUESTION pts/4 00.000.000.000 Fri Aug 18 14:02 - 14:02 (00:00)
USER_IN_QUESTION pts/4 00.000.000.000 Fri Aug 18 12:38 - 12:38 (00:00)
Note that I edited the user's login to USER_IN_QUESTION and removed all IP numbers to read 000.00 and changed port numbers userID and groupID etc.
Also, something interesting in the logs is this:
messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[888]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
I changed this IP number to all 1s (11.111) to mask the IP number and also to show that it's a different IP number. Note that it looks like the user ssh into the machine then added shell, but when I look in the password file the user is noshell. I don't know if that is a cpanel thing adding the user and group WITH shell=/bin/bash when creating the account or if the person did this. I guess I can check the date of the signup to see if it matches etc.
Also, they uploaded an interesting file called nph-proxy.pl and is in public_html/cgiproxy/nph-proxy.pl Another file uploaded and deleted several times was fd_installer.pl and there is also an interesting file in the home directory called .rnd and I don’t have any idea what that file is. No other account has this file.
I took a look at the cgi proxy script and it seems what it is for is so you can browse the Internet anonymously, however, I wonder what kind of abuse this could possibly be used for.
Anyway, I want to log “everything” this user does on the system. I don’t want to delete the user without knowing for sure the person is up to no good. So far nothing bad has happened but I have to look into this.
Below are some of the logs. I changed the log file for security purposes so I can post this publicly. All IP numbers have been changed to 000 or 111 or 222 and the user ID and machine name have been changed and are in CAPS.
Thanks in advance!
Below are some of the logs in the logs directory when I do a "grep -n USER_IN_QUESTION *"
cron.1:13374:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99999]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
cron.1:13375:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99991]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
exim_mainlog:66406:2006-08-18 12:18:34 SOME_EXIM_ID-0007Az-RF =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx4.SOME_HOST.net
[222.222.22.22]
exim_mainlog:66416:2006-08-18 12:20:17 SOME_EXIM_ID-0007UP-5X =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx1.SOME_HOST.net
[222.222.22.22]
messages.1:92181:Aug 18 12:27:15 MACHINE sshd(pam_unix)[999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:92184:Aug 18 12:27:48 MACHINE sshd(pam_unix)[9999]: session closed for
user USER_IN_QUESTION
messages.1:92188:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected]) [INFO]
USER_IN_QUESTION is now logged in
messages.1:92189:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (82 bytes, 2.05KB/sec)
messages.1:92190:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92191:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (88 bytes, 2.19KB/sec)
messages.1:92192:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
secure.1:60780:Aug 18 12:27:45 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
messages.1:92220:Aug 18 12:31:43 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/fd_installer.pl uploaded (2815 bytes,
35.20KB/sec)
messages.1:92221:Aug 18 12:31:44 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92222:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/nph-proxy.pl uploaded (250288
bytes, 760.75KB/sec)
messages.1:92223:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/README uploaded (39214 bytes,
224.50KB/sec)