From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:50:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62AC016A4CE for ; Tue, 27 Jan 2004 12:50:48 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F7843D4C for ; Tue, 27 Jan 2004 12:50:15 -0800 (PST) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [10.177.171.220]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RKmME8024996; Tue, 27 Jan 2004 14:48:22 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4016CE78.2020500@centtech.com> Date: Tue, 27 Jan 2004 14:47:52 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Rosa References: <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> In-Reply-To: <00c401c3e516$4f1bf7a0$3501a8c0@peter> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: security at FreeBSD Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:50:48 -0000 Peter Rosa wrote: > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in > attachment. > Unreadable chaos, bad dates. May be, lastlog has not exact structure for > last, isn't it ? > > PR > > > ------------------------------------------------------------------------ > > ttyp2 067.mbne Thu Jan 1 01:00 - 08:08 (9012+06:08) > m@ttyv0 Thu Jan 1 01:00 still logged in > 0 hö&=ttyp 160- Thu Jan 1 01:00 still logged in > 0 d¶Ñ?ttyv Thu Jan 1 01:00 still logged in > > wtmp begins Thu Jan 1 01:00:00 CET 1970 lastlog needs wtmp, so you should do: last -f /var/log/wtmp which is the default action if you just last with no arguments. Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------