On Wed, 2007-01-03 at 10:27 -0500, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
Copied & pasted examples: (note: root has logged into console tty1 after the user has logged into his desktop on tty7, then root has logged in again via shell on the user's desktop.)
Additional info:
linux:~ # which who /usr/bin/who
linux:~ # l /usr/bin/who -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*
linux:~ # file /usr/bin/who /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
All ideas/hints gratefully appreciated and a happy new year to all of you!
Try the "w" command (without the quotes) and see what it returns. Also type alias to make sure the an alias has not been introduced into the system. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org