On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
...
All ideas/hints gratefully appreciated and a happy new year to all of you!
My previous answer was for part (a). For part (b) I'd check on /var/run/utmp. That file records current logins. Perhaps the file is missing or damaged. If it's missing, it should get recreated by a reboot. If it's corrupted, perhaps it should be removed and then you should reboot. Actually, a bit of quick Googling suggests that the proper way to correct a corrupted utmp is to copy /dev/null onto it (or otherwise effect its truncation) and not to reboot but merely to log out and in again.
regards,
Carl
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org