Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Kenneth Schneider <suse-list3@xxxxxxxxxxxxx>
  • Date: Thu, 04 Jan 2007 07:54:13 -0500
  • Message-id: <1167915253.29079.39.camel@xxxxxxxxxxxxxxxxx>
On Wed, 2007-01-03 at 20:26 -0500, Carl Hartung wrote:
> On Wednesday 03 January 2007 10:27, Carl Hartung wrote:
> <snipped; I'm replying to all who responded to my original post>
>
> Hi All,
>
> I'd forgotten I'd turned off sshd and apache2 immediately after the incident
> and only begun firing them up when needed. There must be an unknown mechanism
> affording access to the system. :-(

If you even slightly suspect some problem I highly recommend saving any
data you can and doing a fresh install on this machine. Better to be
safe then sorry.

>
> With respect to today's tests:
>
> First, after booting back into 10.0, 'who' was working correctly. (!?)
> After seeing this, I didn't bother checking the status of /var/run/utmp
>
> Remote administration was still disabled in the router, it's firewall settings
> were still where I'd set them and my very long & complex 'Admin' names and
> password were still intact. I'm beginning to suspect some kind of "inside
> attack" is being routed through the M$ box that is sharing this connection.
>
> I saw nothing unusual with "last", "w" or "alias".

If the [u,w]tmp file is corrupt in any way you will get faulty results
when using these commands. Perhaps you fixed the problem by either
zeroing out the file with "> /var/log/[u,w]tmp" or by deleting it which
caused it to be recreated.

--
Ken Schneider
UNIX since 1989, linux since 1994, SuSE since 1998

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups