Possible compromise ?

[Mark Ogden]

Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote:
> OK, sorry for unclear previous message.
> 
> In the past, one man teached me the FreeBSD basics and also installed my
> gateway. In that time, I was not able to install and setup FreeBSD by
> myself. He left there some holes - e.g. open virtual consoles, unset
> firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD
> and I tried to setup my own firewall, install and setup some programs (with
> big help of this and Questions lists, manpages and other books).
> 
> When I tried to setup more security on that system, except other things, I
> disabled all virtual tty's, because there is no need to connect to this
> machine remotelly (it's located 5 steps from my desk). In the past, that man
> connected to my system remotely from various IPs.
> 
> Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read
> some connects from remote machines to ttyp0 and ttyp1. 

take a look at the /var/log/auth.log, it will show you everyone that
remote connected and was denied.

-Mark

>It's impossible for
> me to retrieve connection dates from that file. Of course, I read man last,
> man wtmp, etc., but there is nothing about /var/log/lastlog file.
> 
> May be, that lines was added in the deep past, when the machine was open.
> But may be, it was done in few previous days...
> 
> I know, if my machine was compromised, it is impossible to believe in
> anything on that machine (also kernel, sources). So, are there some other
> ways to get information about connection dates?
> 
> Peter Rosa
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"