Versions of the popular program 'screen' allow users to cloak themselves out of wtmp/utmp and appear to not be logged on.
Cloak yourself from finger/wtmp/utmp etc. using screen
Those running screen 3.7.4 and probably earlier, maybe later
7 January 1998
I consider it a good thing when people send me bugs. Also, note that you can effect the same sort of thing as this by running 'xterm -ut' and then logging off
Date: Wed, 7 Jan 1998 02:25:10 -0800 (PST)
From: Taz <email@example.com>
Subject: screen, etc
This evening I was checking out your web site and noticed that you
didn't have the screen bug listed so let me give you a brief overview just
in case you havent heard of it.
If screen is installed setuid like its supposed to be, then any
normal user can execute 'screen -ln' and they become cloaked. They are
temporarily removed from wtmp/utmp. From here you can execute any command
you want without fear of being seen in w/finger/who, etc. When your done
doing your secret commands, exit screen and you reappear in utmp/wtmp.
This bug is still present in 3.7.4 which is the distributed
widely with the latest versions of FreeBSD so I would say its a problem.
[ cut ]
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: