Re: Last login missing
From: Ira (iashkenes_at_verizon.net)
Date: 07/04/04
- Previous message: Toni Heinonen: "RE: Last login missing"
- In reply to: Milos Prudek: "Last login missing"
- Next in thread: Stefan Guha: "Re: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Milos Prudek" <prudek@bvx.cz>, <focus-linux@securityfocus.com> Date: Sun, 4 Jul 2004 17:59:30 -0400
Usually, at the beginning of a month, the wtmp file is backed up, and a new
one is created. This being the 4th of the month, depending on system usage,
etc, this could be ok. You need to see if /var/log/wtmp and /var/log/wtmp.1
look like they might look legit.
Ira
----- Original Message -----
From: "Milos Prudek" <prudek@bvx.cz>
To: <focus-linux@securityfocus.com>
Sent: Thursday, July 01, 2004 4:59 AM
Subject: Last login missing
> If "Last login:" is not displayed, is that fishy? Is it a sure
> indication that a cracker was there and cleaned up his tracks?
>
> Details:
>
> When I connect via ssh to my linux server it always displays Last login:
> <date> from <host>
>
> Today I received a suspiciously looking email from my server about an
> unexpected restart of Apache, so I logged in and there was no "Last
> login:" information.
>
> Of course when I logged in again, "Last login:" information was there
> just fine.
>
>
> --
> Milos
- Previous message: Toni Heinonen: "RE: Last login missing"
- In reply to: Milos Prudek: "Last login missing"
- Next in thread: Stefan Guha: "Re: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
