Re: Last login missing
From: Stefan Guha (safti_at_safti.org)
Date: 07/04/04
- Previous message: Pat Parrinello: "Re: Error installing Clamav?"
- In reply to: Milos Prudek: "Last login missing"
- Next in thread: Michael LaSalvia: "RE: Last login missing"
- Reply: Michael LaSalvia: "RE: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Milos Prudek" <prudek@bvx.cz>, <focus-linux@securityfocus.com> Date: Sun, 4 Jul 2004 23:30:09 +0200
If you had not mentioned the apache restart I would have assumed your wtmp
got "full" and rotated. But together with the apache email it's suspicious.
try the rootkit check-utils that are around.
Milos Prudek wrote:
> If "Last login:" is not displayed, is that fishy? Is it a sure
> indication that a cracker was there and cleaned up his tracks?
>
> Details:
>
> When I connect via ssh to my linux server it always displays Last
> login: <date> from <host>
>
> Today I received a suspiciously looking email from my server about an
> unexpected restart of Apache, so I logged in and there was no "Last
> login:" information.
>
> Of course when I logged in again, "Last login:" information was there
> just fine.
- Previous message: Pat Parrinello: "Re: Error installing Clamav?"
- In reply to: Milos Prudek: "Last login missing"
- Next in thread: Michael LaSalvia: "RE: Last login missing"
- Reply: Michael LaSalvia: "RE: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
