Hi,
Reply on 03-01-2007 17:46:56 <<<
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
to be sure that 'who' is the program you expect, I would first try to rpm -q --verify coreutils (this will give some output in case some files out of coreutils, to which 'who' belongs, were modified. In case I would STILL be in doubt (so the above command did not give any output), you can always post the md5sum of your who binary and let it compare by somebody else. Don't forget to mention exactly what version of SuSE (version, arch) and update state (in case coreutils got updated once for your version of suse) Regards, Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 10:49, Dominique Leuenberger wrote:
to be sure that 'who' is the program you expect, I would first try to rpm -q --verify coreutils
Thanks a lot, Dominique! I attempted this but rpm wouldn't return 'coreutils' when I tried searching for '--whatprovides who' even after several iterations. ;-)
you can always post the md5sum of your who binary
I'll do this in a little bit... I'm busy trying to 'spruce up' a fresh 10.2 installation so I can move into it permanently. :-) I do very much appreciate your reply and happy new year! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2007-01-03 at 16:49 +0100, Dominique Leuenberger wrote:
Hi,
Reply on 03-01-2007 17:46:56 <<<
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
to be sure that 'who' is the program you expect, I would first try to rpm -q --verify coreutils (this will give some output in case some files out of coreutils, to which 'who' belongs, were modified.
In case I would STILL be in doubt (so the above command did not give any output), you can always post the md5sum of your who binary and let it compare by somebody else.
554dd55cc223db9293f056da85ca1891 /usr/bin/who is from my 10.0 32bit system -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 03 January 2007 13:17, Kenneth Schneider wrote:
554dd55cc223db9293f056da85ca1891 /usr/bin/who
is from my 10.0 32bit system
Thanks, Ken. It matches mine. I'm still 'poking around' in 10.2 so I think the forensics on the 10.0 situation will be delayed until tonight. I'll post what I find then. regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carl Hartung
-
Dominique Leuenberger
-
Kenneth Schneider