LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-10-2004, 11:13 PM   #1
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Rep: Reputation: 15
lastlog root entry


Hi. The other day I did a 'lastlog' and found an entry like the following:

Code:
root             pts/6    :0.0             Mon Nov 1  23:53:48 +0100 2004
Today the light went out and after I rebooted I did another 'lastlog', and the same entry appeared again. I also saw it with 'last':

Code:
# last -adix
[...]
root     pts/6        Mon Nov 1  23:53 - 23:53  (00:00)     0.0.0.0
[...]
The thing is I've never logged in as root. I have only used 'su' in terminals once logged as a normal user. Besides, on Nov. 1 at 23:53 the system was already running; it had been running for more than two hours since the last reboot that same day.

I also found a related entry with 'utmpdump':

Code:
utmpdump /var/log/wtmp
[...]
[7] [07422] [/6  ] [root    ] [pts/6       ] [:0.0                ] [0.0.0.0        ] 
[Mon Nov 01 23:53:48 2004 CET]
[...]
I haven't found any strange sign or abnormal behaviour lately. I'm using 'iptables' with a script that I think has the system more or less covered. Services are kept to a minimum, and the machine is not a server. 'chkrootkit' and file integrity checks have not triggered any alarm. 'lastb' didn't show anything either.

Where does this entry come from, then?

Any help will be greatly appreciated.
 
Old 11-11-2004, 11:51 AM   #2
ph34r3d
Member
 
Registered: Apr 2002
Location: Tamaqua, Pa
Distribution: Slackware. Gentoo 1.4rc3, RH9, Mandrake 9.1, Debian, FreeBSD, OpenBSD, Fedra Core 3 x86_64
Posts: 71

Rep: Reputation: 15
If you logged into root you would see that... from what I can see it looks like all 3 times you show are the same login attempt... did you happen to log into root at that specific time???
 
Old 11-11-2004, 03:07 PM   #3
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Original Poster
Rep: Reputation: 15
I've never logged in a session as root. Of course, I've run root shells from my normal user account by means of 'su', but if I'm not mistaken these don't go into 'wtmp'.

Yes, the three logs correspond to the same login attempt. Going into the logs from that day I see that I opened a 'su' shell at 23:48:57, but the time of the logs is 23:53:48.

Also, I've noticed that in the output of 'last' I have another login from Nov. 9, not from root but from my normal user account:

Code:
foobar   :0           Tue Nov  9 15:16 - crash (1+10:53)
But the system was already working that day. I rebooted on Nov. 1 and the machine continued working until there was a light cutoff today (Nov. 11) and I was forced to restart the machine. However, I am almost certain that on Nov. 9 around that time I logged out of KDE and logged in again immediately so that the system could run a bit fresher. Could this be the reason for this last entry? In that line it also says 'crash', even though the system didn't crash at that time...

Any hint regarding these two entries appreciated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
lastlog - What is it, and how do I rotate it? ifm Linux - Newbie 9 04-22-2011 09:45 AM
no root entry on login screen of kde-3.3.2 tony yu Mandriva 1 12-18-2004 10:40 PM
Menu entry as root cento70 Mandriva 2 07-01-2004 04:05 AM
hosts entry for a lan unit with no dns entry linxtc Linux - Networking 1 10-03-2003 08:05 AM
How to fix fstab, when the problem is with the root entry oudent Linux - General 8 07-20-2002 01:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration