[plug] Curious wtmp entry
Christian
christian at amnet.net.au
Sat Apr 7 20:26:02 WST 2001
Hi all,
Noticed something unusual today. My first thought was that the machine
had been compromised but that doesn't really seem all that likely. Any
other ideas or comments?
diffie:~$ w
8:24pm up 1 day, 8:55, 2 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
again pts/0 daisy.amnet.net. 08:18pm 0.00s 0.18s 0.04s w
diffie:~$ last -5
again pts/0 daisy.amnet.net. Sat Apr 7 20:18 still logged
in
again pts/0 daisy.amnet.net. Sat Apr 7 09:50 - 09:52 (00:02)
date { Sat Apr 7 06:09 still logged
in
date | Sat Apr 7 06:10 still logged
in
again pts/2 :0 Fri Apr 6 15:51 - 16:26 (00:34)
wtmp begins Sun Apr 1 10:38:05 2001
I guess the two things I'm referring to are that 'w' reports "2 users"
while listing only one and the wmtp includes odd entries for user 'date'
which does not appear in /etc/passwd and appears to have logged in on
two very unusually named terminal lines!
What do you guys think?
--
DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066 7267 8BED E9D6 0EC1 D28C
More information about the plug
mailing list