[SunHELP] last command not working (topo's corrected)

Fabio fabio at crearium.com
Fri Oct 29 02:07:40 CDT 2004


Lund, Dennis wrote:

>We have and issue were the "last" command is NOT displaying accurate data.
>The command only displays login data from May 2004.
>
>The wtmpx file is updating when a user logs into the server, but logins from
>May 31st and earlier are the only logins displayed.
>
>Example:
>
>wallacc   pts/14       xxx.xxx.xxx.xxx    Mon May 31 15:20 - 15:29  (00:08)
>perryc    pts/14       xxx.xxx.xxx.xxx    Mon May 31 11:37 - 11:43  (00:06)
>perryc    pts/14       xxx.xxx.xxx.xxx    Mon May 31 08:58 - 10:57  (01:58) 
>
>I have run a few tests on another system:
>
>1. cat /dev/null wtmpx (last still works showing login data)
>2. cat /dev/null utmpx (last still works)
>3. cat /dev/null lastlog (last still works)
>
>  
>
Telnet or ssh to the machine, on the system, truss the login process to 
see if it attempts to log the session and gives an error.

It is also a typical scenario after an intruder rooted the machine.

Check inetd.conf to see what options are set when telnetd/sshd is executed.

ebar.



More information about the SunHELP mailing list