Re: Possible compromise ?

From: Eric Anderson (anderson_at_centtech.com)
Date: 01/27/04

  • Next message: Peter Rosa: "Re: Possible compromise ?" 
    Date: Tue, 27 Jan 2004 14:32:37 -0600
To: Peter Rosa <prosa@pro.sk>

    Peter Rosa wrote:
    [..snip..]
    >
    > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read
    > some connects from remote machines to ttyp0 and ttyp1. It's impossible for
    > me to retrieve connection dates from that file. Of course, I read man last,
    > man wtmp, etc., but there is nothing about /var/log/lastlog file.
    >
    > May be, that lines was added in the deep past, when the machine was open.
    > But may be, it was done in few previous days...
    >
    > I know, if my machine was compromised, it is impossible to believe in
    > anything on that machine (also kernel, sources). So, are there some other
    > ways to get information about connection dates?

    Possibly man lastlog will help, but the 'last' command is what you want.
       Is bsdsar running on that machine? You could look back and see what
    processes were running, and maybe some other things..

    Eric 

    -- 
------------------------------------------------------------------
Eric Anderson     Sr. Systems Administrator    Centaur Technology
Today is the tomorrow you worried about yesterday.
------------------------------------------------------------------
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Peter Rosa: "Re: Possible compromise ?"