[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Last logins

Subject: Re: [cobalt-users] Last logins
From: flash22@xxxxxxx
Date: Fri Jan 19 12:01:29 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Fri, 19 Jan 2001, Hans van Kilsdonk wrote:

> Hi everyone!
> Here's a part of our last logins (last -50 -a):
> 
> rides1   pts/2        Thu Jan 18 20:14 - 20:16  (00:02)     <hostname>
> trechter pts/2        Thu Jan 18 20:04 - 20:04  (00:00)     <hostname>
...

> Can someone explain if this "intruder" has been in our system? And how can I
> check what he did?ż

Most likely, login doesn't associate a username with a process until
after login has been completed, same for ftp except anonymous...

I'd start with xferlog ans see if anything interesting was
uploaded...assuming you still have any logs ...

Using find to find files that are recent for userid is often interesting..

I'd also look at the mashine you ssh from, ssh is considerably weakened if
someone has access to the matching keys..or if you set it up to not need a
password...

References:
- [cobalt-users] Last logins
  - From: Hans van Kilsdonk

Prev by Date: Re: [cobalt-users] Latest mySQL and PHP for RAQ2?
Next by Date: Re: [cobalt-users] Telnet - Access Denied Message
Previous by thread: [cobalt-users] Last logins
Next by thread: [cobalt-users] second: pci wireless card on Qube3

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index