Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Kenneth Schneider <suse-list3@xxxxxxxxxxxxx>
  • Date: Wed, 03 Jan 2007 10:43:12 -0500
  • Message-id: <1167838992.29079.27.camel@xxxxxxxxxxxxxxxxx>
On Wed, 2007-01-03 at 10:27 -0500, Carl Hartung wrote:
> Hi All,
>
> This is actually a two part question. a) Is there a 100% proof-positive way to
> determine if someone has previously broken into a system via ssh... before
> remote root logins were disabled and a weak password replaced... and b) how
> do I correct the apparent inability of 'who', given any parameters, to return
> something more informative than just a prompt?
>
> Copied & pasted examples:
> (note: root has logged into console tty1 after the user has logged into his
> desktop on tty7, then root has logged in again via shell on the user's
> desktop.)
>

> Additional info:
>
> > linux:~ # which who
> > /usr/bin/who
>
> > linux:~ # l /usr/bin/who
> > -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*
>
> > linux:~ # file /usr/bin/who
> > /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
> > GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
>
> All ideas/hints gratefully appreciated and a happy new year to all of you!
>

Try the "w" command (without the quotes) and see what it returns. Also
type alias to make sure the an alias has not been introduced into the
system.

--
Ken Schneider
UNIX since 1989, linux since 1994, SuSE since 1998

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References