Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Jan 2004 21:56:20 +0100
From:      "Peter Rosa" <prosa@pro.sk>
To:        "security at FreeBSD" <freebsd-security@freebsd.org>
Subject:   Re: Possible compromise ?
Message-ID:  <013901c3e518$03d7dc80$3501a8c0@peter>
References:  <01a901c3e294$8ea8a500$3501a8c0@peter><1653155537.20040126121155@b-o.ru> <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com> <00c401c3e516$4f1bf7a0$3501a8c0@peter> <4016CE78.2020500@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
OK, tried, but all four wtmp files ar clean (the are wtmp, wtmp.0....wtmp.3
in /var/log).
The only place, where those connections are mentioned, is the lastlog file.

PR


----- Original Message ----- 
From: "Eric Anderson" <anderson@centtech.com>
To: "Peter Rosa" <prosa@pro.sk>
Cc: "security at FreeBSD" <freebsd-security@freebsd.org>
Sent: Tuesday, January 27, 2004 9:47 PM
Subject: Re: Possible compromise ?


> Peter Rosa wrote:
> > As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is
in
> > attachment.
> > Unreadable chaos, bad dates. May be, lastlog has not exact structure for
> > last, isn't it ?
> >
> > PR
> >
> >
> > ------------------------------------------------------------------------
> >
> > ttyp2                     067.mbne         Thu Jan  1 01:00 - 08:08
(9012+06:08)
> > m@ttyv0                                  Thu Jan  1 01:00   still
logged in
> > 0                hö&=ttyp 160-             Thu Jan  1 01:00   still
logged in
> > 0                d¶Ñ?ttyv                  Thu Jan  1 01:00   still
logged in
> >
> > wtmp begins Thu Jan  1 01:00:00 CET 1970
>
> lastlog needs wtmp, so you should do:
>
> last -f /var/log/wtmp
> which is the default action if you just last with no arguments.
>
> Eric
>
>
>
> -- 
> ------------------------------------------------------------------
> Eric Anderson     Sr. Systems Administrator    Centaur Technology
> Today is the tomorrow you worried about yesterday.
> ------------------------------------------------------------------
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013901c3e518$03d7dc80$3501a8c0>