From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:24:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E291316A4CE for ; Tue, 27 Jan 2004 12:24:00 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id C325143D5A for ; Tue, 27 Jan 2004 12:23:51 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0RKNorp009816 for ; Tue, 27 Jan 2004 21:23:50 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <002801c3e513$774a4040$3501a8c0@peter> From: "Peter Rosa" To: "security at FreeBSD" References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> Date: Tue, 27 Jan 2004 21:23:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:24:01 -0000 OK, sorry for unclear previous message. In the past, one man teached me the FreeBSD basics and also installed my gateway. In that time, I was not able to install and setup FreeBSD by myself. He left there some holes - e.g. open virtual consoles, unset firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD and I tried to setup my own firewall, install and setup some programs (with big help of this and Questions lists, manpages and other books). When I tried to setup more security on that system, except other things, I disabled all virtual tty's, because there is no need to connect to this machine remotelly (it's located 5 steps from my desk). In the past, that man connected to my system remotely from various IPs. Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read some connects from remote machines to ttyp0 and ttyp1. It's impossible for me to retrieve connection dates from that file. Of course, I read man last, man wtmp, etc., but there is nothing about /var/log/lastlog file. May be, that lines was added in the deep past, when the machine was open. But may be, it was done in few previous days... I know, if my machine was compromised, it is impossible to believe in anything on that machine (also kernel, sources). So, are there some other ways to get information about connection dates? Peter Rosa