April 1, 2011, 10:40 p.m.
posted by newmy
In the previous section, we talked about how rwho lets you see the users logged in on remote Unix machines. If you're local to a Unix box, however, you can use who, w, and last to obtain a great deal of information about the users currently logged in as well as their past login habits. (W and last are also discussed in Chapter 19.) Serious hackers will study user behavior carefully whenever possible to "blend in" as a regular user or to avoid activity during hours when root is usually logged-in.
These three tools are standard on Unix systems and can help both system administrators and hackers keep an eye on user behavior. Even though these commands are only local, you might prefer to keep access to these executables restricted to root—just in case.
Simply typing who at the command line of a Unix system will list the username, terminal/tty, and login dates of all currently logged in users. You can try different command-line options to format your output differently.
[email protected]:~% who gstuart pts/0 Feb 26 01:33 wave pts/1 Feb 24 09:21 schuster pts/0 Feb 25 15:23 jjohnson pts/2 Feb 26 00:37 [email protected]:~% who -H USER LINE LOGIN-TIME FROM gstuart pts/0 Feb 26 01:33 wave pts/1 Feb 24 09:21 schuster pts/0 Feb 25 15:23 jjohnson pts/2 Feb 26 00:37 [email protected]:~% who -H -I USER LINE LOGIN-TIME IDLE FROM gstuart pts/0 Feb 26 01:33 . wave pts/1 Feb 24 09:21 09:46 schuster pts/0 Feb 25 15:23 . jjohnson pts/2 Feb 26 00:37 . [email protected]:~% who -H -i -l USER LINE LOGIN-TIME IDLE FROM gstuart pts/0 Feb 26 01:35 . (192.168.1.10) wave pts/1 Feb 24 09:21 09:48 (10.10.4.3) schuster pts/0 Feb 25 15:23 . (10.10.4.15) jjohnson pts/2 Feb 26 00:37 . (192.168.1.100) [email protected]:~% who -q gstuart wave schuster jjohnson # users=4 [email protected]:~% who -m host!jjohnson pts/2 Feb 26 00:37
Here's what's going on: -H lists the headers for each column, -i includes idle time, -l includes the host they've logged in from, -q counts only the number of users, and –m tells us information about the user that is currently using standard input (that is, you!). You can keep an eye on currently logged-in users with the who command.
How would you like to know what each user is doing at the moment? The w command will tell you what the user is currently running from his command shell as well as uptime statistics about the system.
[email protected]:~% w 1:45am up 3 days, 12:03, 4 users, load average: 1.55, 2.23, 2.35 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT gstuart pts/0 192.168.1.10 1:44am 55.00s 0.04s 0.04s ./nc -l -p 1812 -s 1 wave pts/1 10.10.4.3 Sun 9am 9:57m 0.14s 0.11s -bash schuster pts/1 10.10.4.15 Mon 3pm 9:57m 0.14s 0.11s pine jjohnson pts/2 192.168.1.100 12:37am 1.00s 0.35s 0.08s w
What about users who were logged in earlier but aren't anymore? Have you ever logged into a Unix box and it tells you the last time you logged in? If you finger a user that isn't currently logged in, the finger daemon will at least tell you the date and time of the user's last login. How does the system keep track of this information?
It uses a binary user information database to store login records. These records are stored in two structures: utmp and wtmp. The details of utmp and wtmp are complex, but the last command lets you see who's logged into the system, where they came from, and how long they stayed on. The information last can gather will go back as far as the system's wtmp database goes back.