Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jan 2004 14:32:37 -0600
From:      Eric Anderson <anderson@centtech.com>
To:        Peter Rosa <prosa@pro.sk>
Cc:        security at FreeBSD <freebsd-security@freebsd.org>
Subject:   Re: Possible compromise ?
Message-ID:  <4016CAE5.6080808@centtech.com>
In-Reply-To: <002801c3e513$774a4040$3501a8c0@peter>
References:  <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter>

next in thread | previous in thread | raw e-mail | index | archive | help
Peter Rosa wrote:
[..snip..]
> 
> Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read
> some connects from remote machines to ttyp0 and ttyp1. It's impossible for
> me to retrieve connection dates from that file. Of course, I read man last,
> man wtmp, etc., but there is nothing about /var/log/lastlog file.
> 
> May be, that lines was added in the deep past, when the machine was open.
> But may be, it was done in few previous days...
> 
> I know, if my machine was compromised, it is impossible to believe in
> anything on that machine (also kernel, sources). So, are there some other
> ways to get information about connection dates?

Possibly man lastlog will help, but the 'last' command is what you want. 
   Is bsdsar running on that machine?  You could look back and see what 
processes were running, and maybe some other things..

Eric



-- 
------------------------------------------------------------------
Eric Anderson     Sr. Systems Administrator    Centaur Technology
Today is the tomorrow you worried about yesterday.
------------------------------------------------------------------



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4016CAE5.6080808>