Re: Last login missing
From: Ira (iashkenes_at_verizon.net)
To: "Milos Prudek" <firstname.lastname@example.org>, <email@example.com> Date: Sun, 4 Jul 2004 17:59:30 -0400
Usually, at the beginning of a month, the wtmp file is backed up, and a new
one is created. This being the 4th of the month, depending on system usage,
etc, this could be ok. You need to see if /var/log/wtmp and /var/log/wtmp.1
look like they might look legit.
----- Original Message -----
From: "Milos Prudek" <firstname.lastname@example.org>
Sent: Thursday, July 01, 2004 4:59 AM
Subject: Last login missing
> If "Last login:" is not displayed, is that fishy? Is it a sure
> indication that a cracker was there and cleaned up his tracks?
> When I connect via ssh to my linux server it always displays Last login:
> <date> from <host>
> Today I received a suspiciously looking email from my server about an
> unexpected restart of Apache, so I logged in and there was no "Last
> login:" information.
> Of course when I logged in again, "Last login:" information was there
> just fine.