On Wed, 2007-01-03 at 10:27 -0500, Carl Hartung wrote: > Hi All, > > This is actually a two part question. a) Is there a 100% proof-positive way > to > determine if someone has previously broken into a system via ssh... before > remote root logins were disabled and a weak password replaced... and b) how > do I correct the apparent inability of 'who', given any parameters, to return > something more informative than just a prompt? > > Copied & pasted examples: > (note: root has logged into console tty1 after the user has logged into his > desktop on tty7, then root has logged in again via shell on the user's > desktop.) >
> Additional info: > > > linux:~ # which who > > /usr/bin/who > > > linux:~ # l /usr/bin/who > > -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who* > > > linux:~ # file /usr/bin/who > > /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for > > GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped > > All ideas/hints gratefully appreciated and a happy new year to all of you! > Try the "w" command (without the quotes) and see what it returns. Also type alias to make sure the an alias has not been introduced into the system. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
