Date: Tue, 27 Jan 2004 21:35:15 +0100 From: "Peter Rosa" <prosa@pro.sk> To: <freebsd-security@freebsd.org> Subject: Re: Possible compromise ? Message-ID: <00ae01c3e515$11dd1000$3501a8c0@peter> References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <20040127202802.GA19276@navi.eng.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, my syslog is not configured to save auth.* info :-((( I did not read syslog.conf carefully... PR ----- Original Message ----- From: "Mark Ogden" <ogden@eng.utah.edu> To: "Peter Rosa" <prosa@pro.sk> Cc: <freebsd-security@freebsd.org> Sent: Tuesday, January 27, 2004 9:28 PM Subject: Re: Possible compromise ? > Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > > OK, sorry for unclear previous message. > > > > In the past, one man teached me the FreeBSD basics and also installed my > > gateway. In that time, I was not able to install and setup FreeBSD by > > myself. He left there some holes - e.g. open virtual consoles, unset > > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > > and I tried to setup my own firewall, install and setup some programs (with > > big help of this and Questions lists, manpages and other books). > > > > When I tried to setup more security on that system, except other things, I > > disabled all virtual tty's, because there is no need to connect to this > > machine remotelly (it's located 5 steps from my desk). In the past, that man > > connected to my system remotely from various IPs. > > > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > > some connects from remote machines to ttyp0 and ttyp1. > > take a look at the /var/log/auth.log, it will show you everyone that > remote connected and was denied. > > -Mark > > >It's impossible for > > me to retrieve connection dates from that file. Of course, I read man last, > > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > > > May be, that lines was added in the deep past, when the machine was open. > > But may be, it was done in few previous days... > > > > I know, if my machine was compromised, it is impossible to believe in > > anything on that machine (also kernel, sources). So, are there some other > > ways to get information about connection dates? > > > > Peter Rosa > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ae01c3e515$11dd1000$3501a8c0>