Reviewing Log Files
You should also peruse your log files when you are looking for signs of trouble. The Windows log files can be found under Event Viewer in Administrative Tools. Under Linux and BSD-variant UNIX, log files are found in the /var/log/ directory. Other UNIX variants may have these files also though their location may be different. Table 11.2 lists the major Unix log files and their functions.
Table 11.2. UNIX Log Files
Stores general system messages.
Stores authentication and security messages.
Stores a history of past logins and logouts.
Stores a dynamic list of who is currently logged in.
For Linux only. Stores any failed or bad logins.
These files may be located in a slightly different location or may not exist on other versions of UNIX. Also, programs often create their own log files, which may be kept in the /var directory. You can use a text editor to view these files and search for certain text strings or number (such as IP addresses and user names).
Table 11.3 lists several operating system-level commands you can use on Linux and UNIX systems to scan these files quickly.
Table 11.3. Linux and UNIX Scanning Commands
Shows the users currently on the system from the utmp file.
Shows users on the system with details such as where they logged in from (local or remote), IP address if they logged in remotely, and what commands they are executing. This command is highly useful for catching intruders in the act.
Shows the most recent contents of the wtmp file. This can also be quite useful in seeing who is logging onto your system, at what hours, and for how long. Listing 11.4 shows an example of this output.
For Linux only. This does the same thing as last but for btmp, the bad login log file. This can be the first place an intruder shows up with multiple failed login attempts.
Listing 11.4. Output from the last command
tony pts/0 10.1.1.1 Sun Sep 5 23:06 still logged in
tony pts/0 10.1.1.1 Sun Sep 5 22:44 - 23:04 (00:20)
tony pts/0 10.1.1.1 Sun Sep 5 21:08 - 21:16 (00:07)
tony pts/0 10.1.1.1 Sun Sep 5 20:20 - 20:36 (00:16)
reboot system boot 2.4.18-14 Sun Sep 5 17:32 (05:34)
tony tty1 Sun Sep 5 17:29 - down(00:01)
tony pts/2 10.1.1.1 Sat Sep 4 23:02 - 23:34 (00:32)
tony pts/2 10.1.1.1 Sat Sep 4 22:36 - 22:36 (00:00)
hank pts/0 10.1.1.200 Sat Sep 4 12:13 - 12:22 (00:08)
hank pts/0 adsl-66-141-23-1 Fri Sep 3 23:53 - 23:53(00:00)
hank pts/0 192.168.1.100 Fri Sep 3 14:47 - 14:47(00:00)
tony pts/3 192.168.1.139 Fri Sep 3 09:59 - down (00:01)
larry pts/3 adsl-65-67-132-2 Thu Sep 2 22:59 - 23:11(00:12)
tony pts/3 10.1.1.1 Thu Sep 2 21:33 - 21:49 (00:16)
brian pts/3 adsl-65-68-90-12 Thu Sep 2 18:23 - 18:31(00:07)
hank pts/5 192.168.1.139 Thu Sep 2 14:29 - 15:35 (01:06)
sam pts/ dialup-207-218-2 Wed Sep 1 22:24 - 00:40(02:16)
Keep in mind that if your system has been compromised, these programs may have been replaced with trojanized copies. A program like Tripwire (see Chapter 7) can help you determine if your system binaries have been tampered with. You should make known good copies of these binary files so you can execute from secure boot media instead of using the ones on the system. Also, remember that attackers will often selectively edit your log files to remove any trace of their actions. However, if they simply delete the log file, you may be able to recover it. You should also check all the log files as some neophytes only delete some of them.