From owner-freebsd-security@FreeBSD.ORG  Tue Jan 27 15:49:33 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A11316A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 27 Jan 2004 15:49:33 -0800 (PST)
Received: from phuket.psconsult.nl (ps226.psconsult.nl [213.222.19.226])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B06BF43D41
	for <freebsd-security@freebsd.org>;
	Tue, 27 Jan 2004 15:49:28 -0800 (PST)
	(envelope-from paul@phuket.psconsult.nl)
Received: from phuket.psconsult.nl (localhost [127.0.0.1])
	by phuket.psconsult.nl (8.12.6p3/8.12.6) with ESMTP id i0RNnRGB027668
	for <freebsd-security@freebsd.org>;
	Wed, 28 Jan 2004 00:49:27 +0100 (CET)
	(envelope-from paul@phuket.psconsult.nl)
Received: (from paul@localhost)
	by phuket.psconsult.nl (8.12.6p3/8.12.6/Submit) id i0RNnQDL027667
	for freebsd-security@freebsd.org;
	Wed, 28 Jan 2004 00:49:26 +0100 (CET)
Date: Wed, 28 Jan 2004 00:49:26 +0100
From: Paul Schenkeveld <fb-security@psconsult.nl>
To: security at FreeBSD <freebsd-security@freebsd.org>
Message-ID: <20040127234926.GA27135@psconsult.nl>
Mail-Followup-To: security at FreeBSD <freebsd-security@freebsd.org>
References: <20040127210015.GA12328@pc5.i.0x5.de>
	<014f01c3e51a$a5a302e0$3501a8c0@peter>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <014f01c3e51a$a5a302e0$3501a8c0@peter>
User-Agent: Mutt/1.5.4i
Subject: Re: Possible compromise ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2004 23:49:33 -0000

Hi Peter,

On Tue, Jan 27, 2004 at 10:15:10PM +0100, Peter Rosa wrote:
> 
> Thanks for pointing me. But lastlogin returns only local and only few last
> connects.
> If I understand well, the bottom of lastlogin is the oldest. So may be, that
> connections was done in the deep past.

Every login gets logged to wtmp, but wtmp gets rotated by newsyslog.
BTW, oldest logins are at the top of the file but the last(1) command
reads the file backwards for convenience.

/var/log/astlog holds one record for every user that ever logged in
into the system with the time and date, tty line and remote host of
that last login.  It never gets truncated so that's why it's normal
to see entries for ttyp0 and ttyp1 there even if these ttys have been
disabled afterwards.

I know of no standard program to list the entire lastlogin file
(/bin/login only shows your own record when logging in) so I've
thrown a few bytes in the right order to visualize its contents.

Just compile is with "cc -o showlast showlast.c"

There's a uuencoded copy of the source at the end jus in case
your mailer scrambles the listing.

Regards,

Paul Schenkeveld, Consultant
PSconsult ICT Services BV

/* showlast.c - show contents of lastlog */

#include <sys/types.h>
#include <fcntl.h>
#include <pwd.h>
#include <stdio.h>
#include <utmp.h>

#define	LASTLOG	"/var/log/lastlog"

int
main(int argc, char *argv[])
{
    struct lastlog lbuf;
    struct passwd *pw;
    int fd, n;
    uid_t uid = 0;
    if ((fd = open(LASTLOG, O_RDONLY)) < 0) {
	perror(LASTLOG);
	exit(1);
    }
    printf("Username           UID Line     Remote host      Date/time\n");
    printf("---------------- ----- -------- ---------------- "
	   "------------------------\n");
    while ((n = read(fd, &lbuf, sizeof(lbuf))) == sizeof(lbuf)) {
	if (lbuf.ll_time > 0) {
	    pw = getpwuid(uid);
	    printf("%-16.16s %5d %-*.*s %-*.*s %s",
		   pw ? pw->pw_name : "(unknown)",
		   uid,
		   UT_LINESIZE, UT_LINESIZE, lbuf.ll_line,
		   UT_HOSTSIZE, UT_HOSTSIZE, lbuf.ll_host,
		   ctime(&lbuf.ll_time));
	}
	uid++;
    }
    close(fd);
    switch (n) {
	case -1:
	    perror(LASTLOG);
	    exit(1);
	case 0:
	    break;
	default:
	    fprintf(stderr, "%s: corrupted\n", LASTLOG);
	    exit(1);
    }
    exit(0);
}

begin 644 showlast.c
M+RH@<VAO=VQA<W0N8R`M('-H;W<@8V]N=&5N=',@;V8@;&%S=&QO9R`J+PH*
M(VEN8VQU9&4@/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92`\9F-N=&PN:#X*(VEN
M8VQU9&4@/'!W9"YH/@HC:6YC;'5D92`\<W1D:6\N:#X*(VEN8VQU9&4@/'5T
M;7`N:#X*"B-D969I;F4)3$%35$Q/1PDB+W9A<B]L;V<O;&%S=&QO9R(*"FEN
M=`IM86EN*&EN="!A<F=C+"!C:&%R("IA<F=V6UTI"GL*("`@('-T<G5C="!L
M87-T;&]G(&QB=68["B`@("!S=')U8W0@<&%S<W=D("IP=SL*("`@(&EN="!F
M9"P@;CL*("`@('5I9%]T('5I9"`](#`["B`@("!I9B`H*&9D(#T@;W!E;BA,
M05-43$]'+"!/7U)$3TY,62DI(#P@,"D@>PH)<&5R<F]R*$Q!4U1,3T<I.PH)
M97AI="@Q*3L*("`@('T*("`@('!R:6YT9B@B57-E<FYA;64@("`@("`@("`@
M(%5)1"!,:6YE("`@("!296UO=&4@:&]S="`@("`@($1A=&4O=&EM95QN(BD[
M"B`@("!P<FEN=&8H(BTM+2TM+2TM+2TM+2TM+2T@+2TM+2T@+2TM+2TM+2T@
M+2TM+2TM+2TM+2TM+2TM+2`B"@D@("`B+2TM+2TM+2TM+2TM+2TM+2TM+2TM
M+2TM7&XB*3L*("`@('=H:6QE("@H;B`](')E860H9F0L("9L8G5F+"!S:7IE
M;V8H;&)U9BDI*2`]/2!S:7IE;V8H;&)U9BDI('L*"6EF("AL8G5F+FQL7W1I
M;64@/B`P*2!["@D@("`@<'<@/2!G971P=W5I9"AU:60I.PH)("`@('!R:6YT
M9B@B)2TQ-BXQ-G,@)35D("4M*BXJ<R`E+2HN*G,@)7,B+`H)"2`@('!W(#\@
M<'<M/G!W7VYA;64@.B`B*'5N:VYO=VXI(BP*"0D@("!U:60L"@D)("`@551?
M3$E.15-)6D4L(%547TQ)3D5325I%+"!L8G5F+FQL7VQI;F4L"@D)("`@551?
M2$]35%-)6D4L(%547TA/4U1325I%+"!L8G5F+FQL7VAO<W0L"@D)("`@8W1I
M;64H)FQB=68N;&Q?=&EM92DI.PH)?0H)=6ED*RL["B`@("!]"B`@("!C;&]S
M92AF9"D["B`@("!S=VET8V@@*&XI('L*"6-A<V4@+3$Z"@D@("`@<&5R<F]R
M*$Q!4U1,3T<I.PH)("`@(&5X:70H,2D["@EC87-E(#`Z"@D@("`@8G)E86L[
M"@ED969A=6QT.@H)("`@(&9P<FEN=&8H<W1D97)R+"`B)7,Z(&-O<G)U<'1E
M9%QN(BP@3$%35$Q/1RD["@D@("`@97AI="@Q*3L*("`@('T*("`@(&5X:70H
&,"D["GT*
`
end