From owner-freebsd-security@FreeBSD.ORG Thu Jun 16 15:35:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88B2916A41C for ; Thu, 16 Jun 2005 15:35:35 +0000 (GMT) (envelope-from sbhasin@gmail.com) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C01543D1D for ; Thu, 16 Jun 2005 15:35:34 +0000 (GMT) (envelope-from sbhasin@gmail.com) Received: by rproxy.gmail.com with SMTP id i8so361840rne for ; Thu, 16 Jun 2005 08:35:34 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=milEMgvpsXexUGmFrcv1owKYSx99inZ93Kd9dIHMoJrOiuQv0PAa+FC1k4MOSiA3n3GEMOmBzX+U1RJnTwi4dIwcabtumKp74I2MR/u+LFwOGG0mXCa3PEXfnD2X2CEbeNNduvAs+oQZ0jgAJEzBvqWa802y26Acxz+bgMv7HNU= Received: by 10.38.65.4 with SMTP id n4mr620673rna; Thu, 16 Jun 2005 08:35:34 -0700 (PDT) Received: by 10.38.208.60 with HTTP; Thu, 16 Jun 2005 08:35:34 -0700 (PDT) Message-ID: Date: Thu, 16 Jun 2005 08:35:34 -0700 From: Saurabh Bhasin To: Neo-Vortex In-Reply-To: <20050616232236.A26561@Neo-Vortex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050616232236.A26561@Neo-Vortex.net> X-Mailman-Approved-At: Fri, 17 Jun 2005 12:42:01 +0000 Cc: freebsd-security@freebsd.org Subject: Re: last command - strange entries? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Saurabh Bhasin List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2005 15:35:35 -0000 > The last command uses /var/log/wtmp and /var/log/utmp (mabe even > /var/log/lastlog) - anyway, the point is, it uses those files to get the > information, now, it appears as if they have become corrupt, mabe by > userland/kernel land desynch? bad upgrade? tried a reboot? >=20 > Else, can you give us more details about the system, past upgrades, > intrusions? Thanks for the explanation. I do understand the above and for sanity sake did every single thing to determine if my box was broken into. However, it turns out that the file did get corrupted (this behavior started to appear after a system reboot which required manual fsck). Simple re-creation of the file worked out just fine.