From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:33:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3B8E16A4CE for ; Tue, 27 Jan 2004 12:33:56 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86C8143D6B for ; Tue, 27 Jan 2004 12:33:53 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RKX7E8023073; Tue, 27 Jan 2004 14:33:07 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4016CAE5.6080808@centtech.com> Date: Tue, 27 Jan 2004 14:32:37 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Rosa References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> In-Reply-To: <002801c3e513$774a4040$3501a8c0@peter> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:33:56 -0000 Peter Rosa wrote: [..snip..] > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? Possibly man lastlog will help, but the 'last' command is what you want. Is bsdsar running on that machine? You could look back and see what processes were running, and maybe some other things.. Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------