On Wednesday 03 January 2007 07:27, Carl Hartung wrote: > Hi All, > > This is actually a two part question. a) Is there a 100% > proof-positive way to determine if someone has previously broken into > a system via ssh... before remote root logins were disabled and a > weak password replaced... and b) how do I correct the apparent > inability of 'who', given any parameters, to return something more > informative than just a prompt? > > ... > > All ideas/hints gratefully appreciated and a happy new year to all of > you!
My previous answer was for part (a). For part (b) I'd check on /var/run/utmp. That file records current logins. Perhaps the file is missing or damaged. If it's missing, it should get recreated by a reboot. If it's corrupted, perhaps it should be removed and then you should reboot. Actually, a bit of quick Googling suggests that the proper way to correct a corrupted utmp is to copy /dev/null onto it (or otherwise effect its truncation) and not to reboot but merely to log out and in again. > regards, > > Carl Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
