RE: Last login missing
From: Michael LaSalvia (mike_at_genxweb.net)
Date: 07/06/04
- Previous message: Kostas K: "Weird!"
- In reply to: Stefan Guha: "Re: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Stefan Guha'" <safti@safti.org>, "'Milos Prudek'" <prudek@bvx.cz>, <focus-linux@securityfocus.com> Date: Mon, 5 Jul 2004 21:20:35 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you checked your apache access and error logs to see what
happened at the time of the reboot, see if their was any weird
requests or what not.
Michael LaSalvia
LCA, TICSA, CCSA, CSI
- -----Original Message-----
From: Stefan Guha [mailto:safti@safti.org]
Sent: Sunday, July 04, 2004 5:30 PM
To: Milos Prudek; focus-linux@securityfocus.com
Subject: Re: Last login missing
If you had not mentioned the apache restart I would have assumed your
wtmp
got "full" and rotated. But together with the apache email it's
suspicious.
try the rootkit check-utils that are around.
Milos Prudek wrote:
> If "Last login:" is not displayed, is that fishy? Is it a sure
> indication that a cracker was there and cleaned up his tracks?
>
> Details:
>
> When I connect via ssh to my linux server it always displays Last
> login: <date> from <host>
>
> Today I received a suspiciously looking email from my server about
> an unexpected restart of Apache, so I logged in and there was no
> "Last login:" information.
>
> Of course when I logged in again, "Last login:" information was
> there just fine.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQOn+YtKAGcNwMOHTEQJL2QCg7HWtmw75LBkhNr1UQBMtH2Pt+AAAmgM1
TBTLa7NmDXTl/3vChUABm7dr
=1iNT
-----END PGP SIGNATURE-----
- Previous message: Kostas K: "Weird!"
- In reply to: Stefan Guha: "Re: Last login missing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
