From owner-freebsd-questions Wed Nov 11 16:39:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA27904 for freebsd-questions-outgoing; Wed, 11 Nov 1998 16:39:50 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from firewall.scitec.com.au (fgate.scitec.com.au [203.17.180.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA27899 for ; Wed, 11 Nov 1998 16:39:48 -0800 (PST) (envelope-from john.saunders@scitec.com.au) Received: by firewall.scitec.com.au; id LAA14019; Thu, 12 Nov 1998 11:39:28 +1100 (EST) Received: from mailhub.scitec.com.au(203.17.180.131) by fgate.scitec.com.au via smap (3.2) id xma014011; Thu, 12 Nov 98 11:39:00 +1100 Received: from saruman (saruman.scitec.com.au [203.17.182.108]) by mailhub.scitec.com.au (8.6.12/8.6.9) with SMTP id LAA25058; Thu, 12 Nov 1998 11:38:58 +1100 From: "John Saunders" To: "Steve Friedrich" Cc: "FreeBSD questions" Subject: RE: wtmp Date: Thu, 12 Nov 1998 11:38:58 +1100 Message-ID: <006701be0dd4$d5b83680$6cb611cb@saruman.scitec.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-Mimeole: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal In-Reply-To: <199811111743.MAA02125@laker.net> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > >> > No. I have the file. I just want to remove a record that user XXX > >> > logged in at the time A and logged out at the time B. To pretend that > >> > he never did. > > This sounds like something a *cracker* would want to do. Why is anyone > helping a *cracker* cover his tracks?? It's also something that a service provider may want to do. Occasionally I create test accounts and login with them for debugging purposes. However I don't want to pollute wtmp (which is used for accouting and billing) so I zap the test entries when I'm done. I have also zapped user wtmp entries from time to time so they don't get billed for a session. > I realize he may not be a *cracker*, just wanted to point out the > possibility and warn that even if he's not, your solution could be > valuable to a *cracker*. If they were a real cracker they would know how to do this themselves, it's not exactly rocket science. If they are the type that downloads cracks from rootshell.org then they probably have no idea what a wtmp file is. Also, if they get root access they will no doubt act in a destructive way which will be easy to detect (human nature). Also most cracks that gain root don't leave wtmp entries around. It's only access via login (guessed passwords) that does it. I hope nobody uses easy to guess root passwords, if they do they deserve being cracked (harsh I know). Cheers. -- . +-------------------------------------------------------+ ,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au | / Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 | \_,--\_/ | "By the time you make ends meet, they move the ends." | v +-------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message