[CLUE-Tech] who command, what is says
Dave Price
davep at kinaole.org
Fri Aug 2 08:15:49 MDT 2002
fyi - years ago we got hacked on a red hat system - the who command left
by the hackes was a trojan - did not show the hacked logins
aloha,
dave
On Thu, Aug 01, 2002 at 06:12:33PM -0600, David Anselmi wrote:
> Kevin Cullis wrote:
> > David,
> >
> > The below "listing" was just an example, not the actual stuff. The ???
> > DOES have his name show up and there are different login times for each.
>
> IIRC, who and w read out of the utmp file which records logins and
> logouts. I'm not sure of the details, but I think it is possible for
> utmp entries to be left around after a user is gone giving you
> inaccurate output. Just another possibility.
>
> Well, ok, utmp(5) says that init handles these entries so I guess you'd
> have to have a system crash and not clean up utmp on reboot to get it
> out of whack. Oh well.
>
> BTW, if something were left running to spy on you, it probably wouldn't
> have a utmp entry. Take a look at the utmp man page, kind of cool.
>
> Dave
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list