Previous Section  < Day Day Up >  Next Section

Reviewing Log Files

You should also peruse your log files when you are looking for signs of trouble. The Windows log files can be found under Event Viewer in Administrative Tools. Under Linux and BSD-variant UNIX, log files are found in the /var/log/ directory. Other UNIX variants may have these files also though their location may be different. Table 11.2 lists the major Unix log files and their functions.

Table 11.2. UNIX Log Files

Log Files



Stores general system messages.


Stores authentication and security messages.


Stores a history of past logins and logouts.


Stores a dynamic list of who is currently logged in.


For Linux only. Stores any failed or bad logins.

These files may be located in a slightly different location or may not exist on other versions of UNIX. Also, programs often create their own log files, which may be kept in the /var directory. You can use a text editor to view these files and search for certain text strings or number (such as IP addresses and user names).

Table 11.3 lists several operating system-level commands you can use on Linux and UNIX systems to scan these files quickly.

Table 11.3. Linux and UNIX Scanning Commands




Shows the users currently on the system from the utmp file.


Shows users on the system with details such as where they logged in from (local or remote), IP address if they logged in remotely, and what commands they are executing. This command is highly useful for catching intruders in the act.


Shows the most recent contents of the wtmp file. This can also be quite useful in seeing who is logging onto your system, at what hours, and for how long. Listing 11.4 shows an example of this output.


For Linux only. This does the same thing as last but for btmp, the bad login log file. This can be the first place an intruder shows up with multiple failed login attempts.

Listing 11.4. Output from the last command

tony    pts/0    Sun Sep  5 23:06  still logged in

tony    pts/0    Sun Sep  5 22:44 - 23:04  (00:20)

tony    pts/0    Sun Sep  5 21:08 - 21:16  (00:07)

tony    pts/0    Sun Sep  5 20:20 - 20:36  (00:16)

reboot  system boot 2.4.18-14   Sun Sep  5 17:32 (05:34)

tony    tty1                    Sun Sep  5 17:29 - down(00:01)

tony    pts/2    Sat Sep  4 23:02 - 23:34 (00:32)

tony    pts/2    Sat Sep  4 22:36 - 22:36 (00:00)

hank    pts/0  Sat Sep  4 12:13 - 12:22 (00:08)

hank    pts/0     adsl-66-141-23-1 Fri Sep  3 23:53 - 23:53(00:00)

hank    pts/0    Fri Sep  3 14:47 - 14:47(00:00)

tony    pts/3    Fri Sep  3 09:59 - down (00:01)

larry   pts/3     adsl-65-67-132-2 Thu Sep  2 22:59 - 23:11(00:12)

tony    pts/3    Thu Sep  2 21:33 - 21:49  (00:16)

brian   pts/3     adsl-65-68-90-12 Thu Sep  2 18:23 - 18:31(00:07)

hank    pts/5    Thu Sep  2 14:29 - 15:35 (01:06)

sam     pts/      dialup-207-218-2 Wed Sep  1 22:24 - 00:40(02:16)

Keep in mind that if your system has been compromised, these programs may have been replaced with trojanized copies. A program like Tripwire (see Chapter 7) can help you determine if your system binaries have been tampered with. You should make known good copies of these binary files so you can execute from secure boot media instead of using the ones on the system. Also, remember that attackers will often selectively edit your log files to remove any trace of their actions. However, if they simply delete the log file, you may be able to recover it. You should also check all the log files as some neophytes only delete some of them.

    Previous Section  < Day Day Up >  Next Section