Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Carl Hartung <suselinux@xxxxxxxxxxxxx>
  • Date: Wed, 3 Jan 2007 20:26:21 -0500
  • Message-id: <200701032026.21718.suselinux@xxxxxxxxxxxxx>
On Wednesday 03 January 2007 10:27, Carl Hartung wrote:
<snipped; I'm replying to all who responded to my original post>

Hi All,

I'd forgotten I'd turned off sshd and apache2 immediately after the incident
and only begun firing them up when needed. There must be an unknown mechanism
affording access to the system. :-(

With respect to today's tests:

First, after booting back into 10.0, 'who' was working correctly. (!?)
After seeing this, I didn't bother checking the status of /var/run/utmp

Remote administration was still disabled in the router, it's firewall settings
were still where I'd set them and my very long & complex 'Admin' names and
password were still intact. I'm beginning to suspect some kind of "inside
attack" is being routed through the M$ box that is sharing this connection.

I saw nothing unusual with "last", "w" or "alias".

The md5sum of my /usr/bin/who matched the one posted by Ken Schneider so it
appears to be the 'stock' binary (thanks, Ken!)

Have I missed anything? I do appreciate all the great feedback today, so
thanks again!

Carl
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References