Re: Last login missing

From: Stefan Guha (safti_at_safti.org)
Date: 07/04/04

  • Next message: Kostas K: "Weird!"
    To: "Milos Prudek" <prudek@bvx.cz>, <focus-linux@securityfocus.com>
    Date: Sun, 4 Jul 2004 23:30:09 +0200
    
    

    If you had not mentioned the apache restart I would have assumed your wtmp
    got "full" and rotated. But together with the apache email it's suspicious.
    try the rootkit check-utils that are around.

    Milos Prudek wrote:
    > If "Last login:" is not displayed, is that fishy? Is it a sure
    > indication that a cracker was there and cleaned up his tracks?
    >
    > Details:
    >
    > When I connect via ssh to my linux server it always displays Last
    > login: <date> from <host>
    >
    > Today I received a suspiciously looking email from my server about an
    > unexpected restart of Apache, so I logged in and there was no "Last
    > login:" information.
    >
    > Of course when I logged in again, "Last login:" information was there
    > just fine.


  • Next message: Kostas K: "Weird!"