From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 08:56:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1F0E16A4D0 for ; Tue, 27 Jan 2004 08:56:54 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E7C843D78 for ; Tue, 27 Jan 2004 08:56:13 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 32036 invoked from network); 27 Jan 2004 16:53:00 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Jan 2004 16:53:00 -0000 Received: (qmail 14016 invoked by uid 1000); 27 Jan 2004 16:55:48 -0000 Date: Tue, 27 Jan 2004 18:55:47 +0200 From: Peter Pentchev To: Peter Rosa Message-ID: <20040127165547.GB730@straylight.m.ringlet.net> Mail-Followup-To: Peter Rosa , freebsd-security@freebsd.org References: <01a901c3e294$8ea8a500$3501a8c0@peter> <1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline In-Reply-To: <003001c3e4f4$dbba7910$3501a8c0@peter> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 16:56:54 -0000 --K8nIJk4ghYZn606h Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 27, 2004 at 05:44:40PM +0100, Peter Rosa wrote: > Hello, >=20 > please, is there some way to list ALL users, who connect remotely to my > machine ? It is our gateway, so it should be one-user machine, but if I l= ist > /var/log/lastlog binary file, there are some lines showing usage of ttyp0. > That console I have disabled in ttys, so why there are that lines ? How > could I make FreeBSD to show that file in readable way ? >=20 > Was my machine compromised ? ttyp0 is the first pseudo-tty. Pseudo-ttys may be created for many purposes, but the most common ones by far are 1. remote logins (telnet, SSH, or the like), and 2. utilities such as 'screen'. If you, or somebody else, has ever opened a telnet or SSH connection to the machine in question, then FreeBSD would have accepted the remote login on a pseudo-tty. The first such login would be on ttyp0, the second - if there are two at the same time - would be on ttyp1, and so on. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence didn't exist, somebody would have invented it. --K8nIJk4ghYZn606h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAFpgT7Ri2jRYZRVMRAv7hAJwK202/zB/05JaecKY+oX3zxPoOigCgk+yg +T7uyj1kbZltAnXdbQ883QA= =jx8M -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h--