Hi,

Last time when I tried to login into my server through ssh. I keyed my password four times, login failed every time. Eventually I logged into my system, I think the password I previously entered was correct. After I logged in, I found the lastlog file was newly created, and previous records got lost. But for other file like secure, there are some file with name like secure-20080101,... stile exist, only this lastlog file left one.

Just want to know does it indicate somebody got into my system? and how could I verify that?

Regards

As a standalone event it does not, IMHO. If you read 'man lastlog' you see it is a sparse file that must not be rotated, after all it only holds a set of volatile data, much like utmp, and not the kind of accounting wtmp holds.


Verify and correlate your other logs: wtmp (see 'man last'), btmp (if any, see 'man lastb'), faillog ('man faillog'), /var/log/secure for logins. For generic error messages see per daemon logs in /var/log/ and /var/log/messages. If SElinux is enabled see /var/log/messages (and /var/log/audit/audit.log if you run Auditd). If you have any doubts you best run your auditing from a booted Live CD and verify your installation first with 'rpm -qVa' ('man rpm' for explanation of output). Checking timestamps, shell history and more steps are in the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html which should be good to know anyway.