Possible compromise ?
Peter Rosa
prosa at pro.sk
Tue Jan 27 12:58:59 PST 2004
OK, tried, but all four wtmp files ar clean (the are wtmp, wtmp.0....wtmp.3
in /var/log).
The only place, where those connections are mentioned, is the lastlog file.
PR
----- Original Message -----
From: "Eric Anderson" <anderson at centtech.com>
To: "Peter Rosa" <prosa at pro.sk>
Cc: "security at FreeBSD" <freebsd-security at freebsd.org>
Sent: Tuesday, January 27, 2004 9:47 PM
Subject: Re: Possible compromise ?
> Peter Rosa wrote:
> > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is
in
> > attachment.
> > Unreadable chaos, bad dates. May be, lastlog has not exact structure for
> > last, isn't it ?
> >
> > PR
> >
> >
> > ------------------------------------------------------------------------
> >
> > ttyp2 067.mbne Thu Jan 1 01:00 - 08:08
(9012+06:08)
> > m@ttyv0 Thu Jan 1 01:00 still
logged in
> > 0 hö&=ttyp 160- Thu Jan 1 01:00 still
logged in
> > 0 d¶Ñ?ttyv Thu Jan 1 01:00 still
logged in
> >
> > wtmp begins Thu Jan 1 01:00:00 CET 1970
>
> lastlog needs wtmp, so you should do:
>
> last -f /var/log/wtmp
> which is the default action if you just last with no arguments.
>
> Eric
>
>
>
> --
> ------------------------------------------------------------------
> Eric Anderson Sr. Systems Administrator Centaur Technology
> Today is the tomorrow you worried about yesterday.
> ------------------------------------------------------------------
>
More information about the freebsd-security
mailing list