Possible compromise ?
Eric Anderson
anderson at centtech.com
Tue Jan 27 12:33:56 PST 2004
Peter Rosa wrote:
[..snip..]
>
> Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read
> some connects from remote machines to ttyp0 and ttyp1. It's impossible for
> me to retrieve connection dates from that file. Of course, I read man last,
> man wtmp, etc., but there is nothing about /var/log/lastlog file.
>
> May be, that lines was added in the deep past, when the machine was open.
> But may be, it was done in few previous days...
>
> I know, if my machine was compromised, it is impossible to believe in
> anything on that machine (also kernel, sources). So, are there some other
> ways to get information about connection dates?
Possibly man lastlog will help, but the 'last' command is what you want.
Is bsdsar running on that machine? You could look back and see what
processes were running, and maybe some other things..
Eric
--
------------------------------------------------------------------
Eric Anderson Sr. Systems Administrator Centaur Technology
Today is the tomorrow you worried about yesterday.
------------------------------------------------------------------
More information about the freebsd-security
mailing list