From owner-freebsd-stable@FreeBSD.ORG Tue Jul 1 04:13:11 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8838B37B401 for ; Tue, 1 Jul 2003 04:13:11 -0700 (PDT) Received: from vivaldi.pn.sinp.msu.ru (pn-gw.sinp.msu.ru [213.131.0.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65AB343FE5 for ; Tue, 1 Jul 2003 04:13:09 -0700 (PDT) (envelope-from fbsd4@pn.sinp.msu.ru) Received: from handel.pn.sinp.msu.ru (handel.pn.sinp.msu.ru [213.131.11.24]) (authenticated bits=0) by vivaldi.pn.sinp.msu.ru (8.12.9/8.12.9) with ESMTP id h61BE46k047076 for ; Tue, 1 Jul 2003 15:14:13 +0400 (MSD) (envelope-from fbsd4@pn.sinp.msu.ru) Message-Id: <5.1.1.6.2.20030701150100.00a74aa0@vivaldi.pn.sinp.msu.ru> X-Sender: svysh@vivaldi.pn.sinp.msu.ru (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 01 Jul 2003 15:10:09 +0300 To: freebsd-stable@freebsd.org From: Sergei Vyshenski Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: possible intrusion? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 11:13:11 -0000 Today discovered the following in /var/log: -rw-r--r-- 1 root wheel 176 Jul 1 14:37 wtmp -rw-r--r-- 1 root wheel 0 Jul 1 05:20 wtmp.0 -rw-r--r-- 1 root wheel 0 Jul 1 05:00 wtmp.1 -rw-r--r-- 1 root wheel 20460 Jul 1 00:19 wtmp.2 -rw-r--r-- 1 root wheel 0 Jun 1 05:20 wtmp.3 While file /etc/newsyslog says: /var/log/wtmp root.wheel 644 3 * @01T05 B The system is 4.8-STABLE FreeBSD 4.8-STABLE #0: Tue Jun 17 22:09:23 MSD 2003 Could this mean the sign of intrusion? Thank you very much for any comment ahead of time, Sergei