Re: Last login missing
From: Stefan Guha (safti_at_safti.org)
To: "Milos Prudek" <firstname.lastname@example.org>, <email@example.com> Date: Sun, 4 Jul 2004 23:30:09 +0200
If you had not mentioned the apache restart I would have assumed your wtmp
got "full" and rotated. But together with the apache email it's suspicious.
try the rootkit check-utils that are around.
Milos Prudek wrote:
> If "Last login:" is not displayed, is that fishy? Is it a sure
> indication that a cracker was there and cleaned up his tracks?
> When I connect via ssh to my linux server it always displays Last
> login: <date> from <host>
> Today I received a suspiciously looking email from my server about an
> unexpected restart of Apache, so I logged in and there was no "Last
> login:" information.
> Of course when I logged in again, "Last login:" information was there
> just fine.