[plug] Curious wtmp entry

Wed Apr 18 17:23:14 WST 2001

Random thought:
Do any of your admin/accounting scripts do something funky with the
system date in response to a login event perhaps? The brace and pipe in the
context of "date" seem more suggestive to me of a (badly) misbehaving script
etc than a crack(attempt), but .... I suppose you've checked other logs for
events coinciding with the date and time in wtmp?

Steve

On Sat, 07 Apr 2001, Christian wrote:
> Hi all,
> 
> Noticed something unusual today.  My first thought was that the machine
> had been compromised but that doesn't really seem all that likely.   Any
> other ideas or comments?
> 
> diffie:~$ w
>   8:24pm  up 1 day,  8:55,  2 users,  load average: 0.00, 0.01, 0.00
> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
> again    pts/0    daisy.amnet.net. 08:18pm  0.00s  0.18s  0.04s  w
> diffie:~$ last -5
> again    pts/0        daisy.amnet.net. Sat Apr  7 20:18   still logged
> in
> again    pts/0        daisy.amnet.net. Sat Apr  7 09:50 - 09:52  (00:02)
> date     {                             Sat Apr  7 06:09   still logged
> in
> date     |                             Sat Apr  7 06:10   still logged
> in
> again    pts/2        :0               Fri Apr  6 15:51 - 16:26  (00:34)
> 
> wtmp begins Sun Apr  1 10:38:05 2001
> 
> I guess the two things I'm referring to are that 'w' reports "2 users"
> while listing only one and the wmtp includes odd entries for user 'date'
> which does not appear in /etc/passwd and appears to have logged in on
> two very unusually named terminal lines!
> 
> What do you guys think?
> 
> -- 
> DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066  7267 8BED E9D6 0EC1 D28C