Possible compromise ?

Peter Rosa prosa at pro.sk
Tue Jan 27 12:58:59 PST 2004


OK, tried, but all four wtmp files ar clean (the are wtmp, wtmp.0....wtmp.3
in /var/log).
The only place, where those connections are mentioned, is the lastlog file.

PR


----- Original Message ----- 
From: "Eric Anderson" <anderson at centtech.com>
To: "Peter Rosa" <prosa at pro.sk>
Cc: "security at FreeBSD" <freebsd-security at freebsd.org>
Sent: Tuesday, January 27, 2004 9:47 PM
Subject: Re: Possible compromise ?


> Peter Rosa wrote:
> > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is
in
> > attachment.
> > Unreadable chaos, bad dates. May be, lastlog has not exact structure for
> > last, isn't it ?
> >
> > PR
> >
> >
> > ------------------------------------------------------------------------
> >
> > ttyp2                     067.mbne         Thu Jan  1 01:00 - 08:08
(9012+06:08)
> > m@ttyv0                                  Thu Jan  1 01:00   still
logged in
> > 0                hö&=ttyp 160-             Thu Jan  1 01:00   still
logged in
> > 0                d¶Ñ?ttyv                  Thu Jan  1 01:00   still
logged in
> >
> > wtmp begins Thu Jan  1 01:00:00 CET 1970
>
> lastlog needs wtmp, so you should do:
>
> last -f /var/log/wtmp
> which is the default action if you just last with no arguments.
>
> Eric
>
>
>
> -- 
> ------------------------------------------------------------------
> Eric Anderson     Sr. Systems Administrator    Centaur Technology
> Today is the tomorrow you worried about yesterday.
> ------------------------------------------------------------------
>



More information about the freebsd-security mailing list