From owner-freebsd-security@FreeBSD.ORG  Tue Jan 27 13:11:30 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EC08616A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 27 Jan 2004 13:11:30 -0800 (PST)
Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3704B43D72
	for <freebsd-security@freebsd.org>;
	Tue, 27 Jan 2004 13:10:52 -0800 (PST)
	(envelope-from anderson@centtech.com)
Received: from centtech.com (neutrino.centtech.com [10.177.171.220])
	by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id i0RL9eE8029893;
	Tue, 27 Jan 2004 15:09:41 -0600 (CST)
	(envelope-from anderson@centtech.com)
Message-ID: <4016D377.6090208@centtech.com>
Date: Tue, 27 Jan 2004 15:09:11 -0600
From: Eric Anderson <anderson@centtech.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20040121
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Nicolas Rachinsky <list@rachinsky.de>
References: <003001c3e4f4$dbba7910$3501a8c0@peter>
	<20040127165741.GA1700@sheol.localdomain>
	<002801c3e513$774a4040$3501a8c0@peter> <4016CAE5.6080808@centtech.com>
	<00c401c3e516$4f1bf7a0$3501a8c0@peter> <20040127210015.GA12328@pc5.i.0x5.de>
In-Reply-To: <20040127210015.GA12328@pc5.i.0x5.de>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: Peter Rosa <prosa@pro.sk>
cc: security at FreeBSD <freebsd-security@freebsd.org>
Subject: Re: Possible compromise ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2004 21:11:31 -0000

Nicolas Rachinsky wrote:
> * Peter Rosa <prosa@pro.sk> [2004-01-27 21:44 +0100]:
> 
>>As Mr. Anderson wrote, I tried last -f /var/log/lastlog and get, what is in
>>attachment.
>>Unreadable chaos, bad dates. May be, lastlog has not exact structure for
>>last, isn't it ?
> 
> 
> The program to show /var/log/lastlog is lastlogin.


Actually, last reads it also, the lastlogin tool is a "subtool" I think:

 From lastlogin(8):
      "The lastlogin utility differs from last(1) in that it only prints 
infor-mation regarding the very last login session.  The last login 
database is never turned over or deleted in standard usage."

Eric



-- 
------------------------------------------------------------------
Eric Anderson     Sr. Systems Administrator    Centaur Technology
Today is the tomorrow you worried about yesterday.
------------------------------------------------------------------