Date: Thu, 12 Nov 1998 11:38:58 +1100 From: "John Saunders" <john.saunders@scitec.com.au> To: "Steve Friedrich" <SteveFriedrich@Hot-Shot.com> Cc: "FreeBSD questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: wtmp Message-ID: <006701be0dd4$d5b83680$6cb611cb@saruman.scitec.com.au> In-Reply-To: <199811111743.MAA02125@laker.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> >> > No. I have the file. I just want to remove a record that user XXX > >> > logged in at the time A and logged out at the time B. To pretend that > >> > he never did. > > This sounds like something a *cracker* would want to do. Why is anyone > helping a *cracker* cover his tracks?? It's also something that a service provider may want to do. Occasionally I create test accounts and login with them for debugging purposes. However I don't want to pollute wtmp (which is used for accouting and billing) so I zap the test entries when I'm done. I have also zapped user wtmp entries from time to time so they don't get billed for a session. > I realize he may not be a *cracker*, just wanted to point out the > possibility and warn that even if he's not, your solution could be > valuable to a *cracker*. If they were a real cracker they would know how to do this themselves, it's not exactly rocket science. If they are the type that downloads cracks from rootshell.org then they probably have no idea what a wtmp file is. Also, if they get root access they will no doubt act in a destructive way which will be easy to detect (human nature). Also most cracks that gain root don't leave wtmp entries around. It's only access via login (guessed passwords) that does it. I hope nobody uses easy to guess root passwords, if they do they deserve being cracked (harsh I know). Cheers. -- . +-------------------------------------------------------+ ,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au | / Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 | \_,--\_/ | "By the time you make ends meet, they move the ends." | v +-------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006701be0dd4$d5b83680$6cb611cb>