Foil Wireless Poachers and Have Fun Doing It (Part 2)
Killing and Slaying
Last week we learned some fun ways to mess with the minds of wireless freeloaders, and introduced ourselves to some methods for finding out who is on our networks. Today we're going to learn some different ways to kick unwanted visitors off networks, and how to see exactly who is lurking on our airwaves.
Who says computer geeks are mild-mannered, non-violent wimps? Why, we have all manner of violent commands at our fingertips. Like
cutter. Ph34r us!
whowatch is for monitoring logins in realtime, and kicking users off specific hosts. Suppose you're logged into the fileserver in an SSH session, and you want to see who else is logged in. Just run the
whowatch command as root. You'll see an ncurses display showing a list of users:
2 users: (1 local, 0 telnet, 0 ssh, 1 other) load: 0.02, 0.12, 0.12 (init) pinball tty2 -bash (kdm) carla :0 -
Oy, you exclaim! Pinball should not be logged into the fileserver! Pinball should not even have a login account on the fileserver! This is very bad! What shall I do?
First of all, stop panicking. Use the Up/Down arrow keys to navigate to Pinball, then hit Enter. You'll see this:
2 users: (1 local, 0 telnet, 0 ssh, 1 other) load: 0.12, 0.36, 0.29 (init) pinball tty2 6972 - /bin/login -- 6975 `- -bash
Select the line with the lowest process number by using the arrow keys, and hit Ctrl+K to kill Pinball. Then you'll see this:
2 users: (1 local, 0 telnet, 0 ssh, 1 other) load: 0.29, 0.34, 0.28 (init) pinball tty2 User logged out
Ha. Take that, Pinball. The Enter key toggles between the selected user and the list of users. Press F9 to expose the top menus. Obviously you now need to figure out how an unauthorized user was able to log into your server, repair the breach, and look for rootkits or other nasties. You might even need to rebuild the whole system. But at least you found out there was an intruder, which is always a good thing to know.