LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Can wtmp be modified?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-05-2005, 01:08 PM   #1
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Rep: Reputation: 32
Can wtmp be modified?

One of my boxes has been hacked and now I'm trying to catch the intruder's address. I see logins when I use 'last', but I'm not sure if these records could be faked. I know 'last' takes its data from /var/log/wtmp and it's not normaly readable data, but kind of a crypted data. Can it be modified so 'last' lies?
 
Old 12-05-2005, 01:16 PM   #2
int0x80
Member
 
Registered: Sep 2002
Posts: 310

Rep: Reputation: Disabled
Yes. Several tools exist, such as dwipe, that can modify WTMP, UTMP, LASTLOG, and log directories to clean out the presence of an intruder.
 
Old 12-05-2005, 11:23 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Chkrootkit (and I believe rkhunter) perform checks for wtmp deletion. They might be good places to start if you think you machine might have been compromised. If it has been compromised, then you might want to use a second (known clean) machine to sniff traffic to the potentially compromised machine. Trying to do it locally can be an uphill battle if it's been rooted and a rookit was installed.

Could you explain in more detail why you are sure it's been hacked?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WTMP file pkrishna10 Linux - General 1 11-13-2004 07:47 AM
WTMP - last command EthanB Linux - Security 1 09-14-2004 09:30 PM
/var/log/wtmp praveenv Linux - Newbie 5 08-23-2004 02:48 PM
utmp, wtmp Xavius Linux - Newbie 3 04-11-2004 08:29 AM
using wtmp Peter Santiago Linux - General 0 01-07-2002 06:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:44 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration