WHO, W, AND LAST





WHO, W, AND LAST

In the previous section, we talked about how rwho lets you see the users logged in on remote Unix machines. If you're local to a Unix box, however, you can use who, w, and last to obtain a great deal of information about the users currently logged in as well as their past login habits. (W and last are also discussed in Chapter 19.) Serious hackers will study user behavior carefully whenever possible to "blend in" as a regular user or to avoid activity during hours when root is usually logged-in.

These three tools are standard on Unix systems and can help both system administrators and hackers keep an eye on user behavior. Even though these commands are only local, you might prefer to keep access to these executables restricted to root—just in case.

who

Simply typing who at the command line of a Unix system will list the username, terminal/tty, and login dates of all currently logged in users. You can try different command-line options to format your output differently.

[email protected]:~%  who
gstuart  pts/0    Feb 26 01:33
wave     pts/1    Feb 24 09:21
schuster pts/0    Feb 25 15:23
jjohnson pts/2    Feb 26 00:37
[email protected]:~%   who -H
USER     LINE     LOGIN-TIME   FROM
gstuart  pts/0    Feb 26 01:33
wave     pts/1    Feb 24 09:21
schuster pts/0    Feb 25 15:23
jjohnson pts/2    Feb 26 00:37
[email protected]:~%   who -H -I
USER     LINE     LOGIN-TIME   IDLE  FROM
gstuart  pts/0    Feb 26 01:33    .
wave     pts/1    Feb 24 09:21 09:46
schuster pts/0    Feb 25 15:23    .
jjohnson pts/2    Feb 26 00:37    .
[email protected]:~%   who -H -i -l
USER     LINE     LOGIN-TIME   IDLE  FROM
gstuart  pts/0    Feb 26 01:35   .   (192.168.1.10)
wave     pts/1    Feb 24 09:21 09:48 (10.10.4.3)
schuster pts/0    Feb 25 15:23   .   (10.10.4.15)
jjohnson pts/2    Feb 26 00:37   .   (192.168.1.100)
[email protected]:~%   who -q
gstuart wave schuster jjohnson
# users=4
[email protected]:~%   who -m
host!jjohnson pts/2    Feb 26 00:37

Here's what's going on: -H lists the headers for each column, -i includes idle time, -l includes the host they've logged in from, -q counts only the number of users, and –m tells us information about the user that is currently using standard input (that is, you!). You can keep an eye on currently logged-in users with the who command.

W

How would you like to know what each user is doing at the moment? The w command will tell you what the user is currently running from his command shell as well as uptime statistics about the system.

[email protected]:~%   w
  1:45am  up 3 days, 12:03,  4 users,  load average: 1.55, 2.23, 2.35
USER     TTY      FROM             [email protected]  IDLE    JCPU   PCPU    WHAT
gstuart  pts/0    192.168.1.10     1:44am  55.00s  0.04s  0.04s  ./nc -l -p 1812 -s 1
wave     pts/1    10.10.4.3        Sun 9am  9:57m  0.14s  0.11s  -bash
schuster pts/1    10.10.4.15        Mon 3pm  9:57m  0.14s  0.11s  pine
jjohnson pts/2    192.168.1.100    12:37am  1.00s  0.35s  0.08s  w

last

What about users who were logged in earlier but aren't anymore? Have you ever logged into a Unix box and it tells you the last time you logged in? If you finger a user that isn't currently logged in, the finger daemon will at least tell you the date and time of the user's last login. How does the system keep track of this information?

It uses a binary user information database to store login records. These records are stored in two structures: utmp and wtmp. The details of utmp and wtmp are complex, but the last command lets you see who's logged into the system, where they came from, and how long they stayed on. The information last can gather will go back as far as the system's wtmp database goes back.

Previous Section
Next Section


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows