Script to Capture IP on UNix
Results 1 to 9 of 9

Thread: Script to Capture IP on UNix

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    120

    Question Script to Capture IP on UNix

    Is there any script or program I can run every time someone logs into my shell account that will record there IP to a log file. Thanks for any help. My current default shell is tcsh is that helps any.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Why would you want to do that?
    Why not just pull it from your firewall logs or your router logs?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Add the following line to your .tcshrc file:
    /sbin/ifconfig /dev/eth0 >> iplog.txt
    If that doesn't work try:
    su -c "/sbin/ifconfig /dev/eth0 >> iplog.txt"
    Note that in the second case, you'll have to type in the root password every time you log in. If you don't want to do that, just and yourself to group root and do a "chmod 770 /sbin/ifconfig" as root. You might also have to run a "chmod 770 /sbin".
    Please note that by changing the permissions on your sbin directory you are automatically making your system less secure.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    120
    phishphreek80-

    I dont own the system its just a shell account and i think someone besides me is logging in b/c some weird log files are showing up. I know root on this comp pretty well and i dont think he would be put files named ".keelog" in my home directory. wuts funnier about ".keelog" is if it is a keylogger file it doesnt seem to work b/c it is never written to. Thanks a million for all your help.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Add the following line to your .tcshrc file:
    quote:

    /sbin/ifconfig /dev/eth0 >> iplog.txt


    If that doesn't work try:
    quote:

    su -c "/sbin/ifconfig /dev/eth0 >> iplog.txt"


    Note that in the second case, you'll have to type in the root password every time you log in. If you don't want to do that, just and yourself to group root and do a "chmod 770 /sbin/ifconfig" as root. You might also have to run a "chmod 770 /sbin".
    Please note that by changing the permissions on your sbin directory you are automatically making your system less secure.
    Cheers,
    cgkanchi
    This isn't correct. ifconfig allows you to see the IP addresses each interface is using on the local machine.

    If you want to see who's been logging into your account, log in and type: last. For more info see man last.

    Of course this might not tell you anything. If someone has hacked your account, they might have messed with wtmp to get rid of their tracks. Talk to the sysadmin if you really want to figure out what's going on.
    OpenBSD - The proactively secure operating system.

  6. #6
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Whoops! I misunderstood the question. Sorry about that.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  7. #7
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hi.
    A way could be to type in :

    date ; w

    That will give you the date, time, and who is logged on at this time.

    To put that to a file, type in:

    (date ; w) > mylog

    That will save the information to a file called mylog.

    You could add this to your crons, so it runs this every minute, hour, day, week, whatever you prefer. Although this solution will not activate the moment someone logs on. It will just tell you the information whenever this command is issued. Try this and tell me if its a solution for you. Make this command into a small shell script, or just give it an alias.

    Another solution would be to use the command grep within your /var/log/messages. As i see you dont have root priveleges, so ask your admin (since you claim to know him) to allow you to sudo a :

    tail -f /var/log/messages

    (for more information on sudo go here

    If you can get a sudo for tailing the var/log/messages, then write a small script like:

    #!/bin/sh
    #
    # /usr/local/bin/alarm
    #
    TIMESTAMP='date +"%C%y%m%d%H%M"'
    if grep sshd /var/log/messages;
    then
    grep sshd /var/log/messages | (date ; w) > /home/youraccount/mylog
    cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
    fi
    #EOF

    So every time someone uses ssh to connect to your box, that script will look for the term sshd and run the date ; w commands saving it to /home/youraccount/mylog. The sshd is only the example if he logs in using the ssh client. You could write several scripts like that, one for sshd, one for ftpd (depending on what services the computers offers to connect to) etc...
    You will still have to add this script to the crons, so it runs every minute.

    Also learn you shell basics. With your shell, you can do so many things, almost anything. Its better than using 3rd party programs.

    Good luck.


    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    120
    Hey thanks alot you guys are some damn smart mofos. lol .I jes got one more question what do the percent signs mean in this part of the shell script. "%C%y%m%d%H%M" are they spaces or does it stand for modulus like in java.

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, smart thing to do:

    1) contact the admin of the box. There are potentially very serious consequences that the administrator should know about.

    2) Let the administrator hunt it down. Easiest thing to do from your end would be to use the 'last' command to see when people logged in.

    Now, if you can't do this, add this to your .rc file for your shell (maybe to .profile or .login):

    echo `who am i` | cut -f2 -d"(" | cut -f1 -d")" >> $HOME/.who

    You might have to play with the syntax a little to match your OS, but I have tested it on my system and it works fine. However, if your account has been compromised, don't be surpised if they delete the log...which is why you should have your administrator involved...

    /nebulus

    EDIT: -- OR --

    a=`who am i`
    b=`echo $b | cut -f3-5 -d" "`
    c=`echo $a | cut -f2 -d"(" | cut -f1 -d")"`
    echo "$b $c" >> $HOME/.who

    -- OR --
    echo `who am i` >> $HOME/.who

    Note: These commands assume a 'sh' or 'sh' derivative shell.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •