Script to Capture IP on UNix

[kr4y3]

Is there any script or program I can run every time someone logs into my shell account that will record there IP to a log file. Thanks for any help. My current default shell is tcsh is that helps any.

[phishphreek]

Why would you want to do that?
Why not just pull it from your firewall logs or your router logs?

[cgkanchi]

Add the following line to your .tcshrc file:

/sbin/ifconfig /dev/eth0 >> iplog.txt

If that doesn't work try:

su -c "/sbin/ifconfig /dev/eth0 >> iplog.txt"

Note that in the second case, you'll have to type in the root password every time you log in. If you don't want to do that, just and yourself to group root and do a "chmod 770 /sbin/ifconfig" as root. You might also have to run a "chmod 770 /sbin".
Please note that by changing the permissions on your sbin directory you are automatically making your system less secure.
Cheers,
cgkanchi

[kr4y3]

phishphreek80-

I dont own the system its just a shell account and i think someone besides me is logging in b/c some weird log files are showing up. I know root on this comp pretty well and i dont think he would be put files named ".keelog" in my home directory. wuts funnier about ".keelog" is if it is a keylogger file it doesnt seem to work b/c it is never written to. Thanks a million for all your help.

[smirc]

Add the following line to your .tcshrc file:
quote:

/sbin/ifconfig /dev/eth0 >> iplog.txt


If that doesn't work try:
quote:

su -c "/sbin/ifconfig /dev/eth0 >> iplog.txt"


Note that in the second case, you'll have to type in the root password every time you log in. If you don't want to do that, just and yourself to group root and do a "chmod 770 /sbin/ifconfig" as root. You might also have to run a "chmod 770 /sbin".
Please note that by changing the permissions on your sbin directory you are automatically making your system less secure.
Cheers,
cgkanchi

This isn't correct. ifconfig allows you to see the IP addresses each interface is using on the local machine.

If you want to see who's been logging into your account, log in and type: last. For more info see man last.

Of course this might not tell you anything. If someone has hacked your account, they might have messed with wtmp to get rid of their tracks. Talk to the sysadmin if you really want to figure out what's going on.

[cgkanchi]

Whoops! I misunderstood the question. Sorry about that.
Cheers,
cgkanchi

[instronics]

Hi.
A way could be to type in :

date ; w

That will give you the date, time, and who is logged on at this time.

To put that to a file, type in:

(date ; w) > mylog

That will save the information to a file called mylog.

You could add this to your crons, so it runs this every minute, hour, day, week, whatever you prefer. Although this solution will not activate the moment someone logs on. It will just tell you the information whenever this command is issued. Try this and tell me if its a solution for you. Make this command into a small shell script, or just give it an alias.

Another solution would be to use the command grep within your /var/log/messages. As i see you dont have root priveleges, so ask your admin (since you claim to know him) to allow you to sudo a :

tail -f /var/log/messages

(for more information on sudo go here

If you can get a sudo for tailing the var/log/messages, then write a small script like:

#!/bin/sh
#
# /usr/local/bin/alarm
#
TIMESTAMP='date +"%C%y%m%d%H%M"'
if grep sshd /var/log/messages;
then
grep sshd /var/log/messages | (date ; w) > /home/youraccount/mylog
cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
fi
#EOF

So every time someone uses ssh to connect to your box, that script will look for the term sshd and run the date ; w commands saving it to /home/youraccount/mylog. The sshd is only the example if he logs in using the ssh client. You could write several scripts like that, one for sshd, one for ftpd (depending on what services the computers offers to connect to) etc...
You will still have to add this script to the crons, so it runs every minute.

Also learn you shell basics. With your shell, you can do so many things, almost anything. Its better than using 3rd party programs.

Good luck.


Cheers.

[kr4y3]

Hey thanks alot you guys are some damn smart mofos. lol .I jes got one more question what do the percent signs mean in this part of the shell script. "%C%y%m%d%H%M" are they spaces or does it stand for modulus like in java.

[nebulus200]

Ok, smart thing to do:

1) contact the admin of the box. There are potentially very serious consequences that the administrator should know about.

2) Let the administrator hunt it down. Easiest thing to do from your end would be to use the 'last' command to see when people logged in.

Now, if you can't do this, add this to your .rc file for your shell (maybe to .profile or .login):

echo `who am i` | cut -f2 -d"(" | cut -f1 -d")" >> $HOME/.who

You might have to play with the syntax a little to match your OS, but I have tested it on my system and it works fine. However, if your account has been compromised, don't be surpised if they delete the log...which is why you should have your administrator involved...

/nebulus

EDIT: -- OR --

a=`who am i`
b=`echo $b | cut -f3-5 -d" "`
c=`echo $a | cut -f2 -d"(" | cut -f1 -d")"`
echo "$b $c" >> $HOME/.who

-- OR --
echo `who am i` >> $HOME/.who

Note: These commands assume a 'sh' or 'sh' derivative shell.