Date: Thu, 12 Nov 1998 11:38:58 +1100 From: "John Saunders" <john.saunders@scitec.com.au> To: "Steve Friedrich" <SteveFriedrich@Hot-Shot.com> Cc: "FreeBSD questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: wtmp Message-ID: <006701be0dd4$d5b83680$6cb611cb@saruman.scitec.com.au> In-Reply-To: <199811111743.MAA02125@laker.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> >> > No. I have the file. I just want to remove a record that user XXX
> >> > logged in at the time A and logged out at the time B. To pretend that
> >> > he never did.
>
> This sounds like something a *cracker* would want to do. Why is anyone
> helping a *cracker* cover his tracks??
It's also something that a service provider may want to do.
Occasionally I create test accounts and login with them
for debugging purposes. However I don't want to pollute
wtmp (which is used for accouting and billing) so I zap
the test entries when I'm done. I have also zapped user
wtmp entries from time to time so they don't get billed
for a session.
> I realize he may not be a *cracker*, just wanted to point out the
> possibility and warn that even if he's not, your solution could be
> valuable to a *cracker*.
If they were a real cracker they would know how to do this
themselves, it's not exactly rocket science. If they are the
type that downloads cracks from rootshell.org then they probably
have no idea what a wtmp file is. Also, if they get root access
they will no doubt act in a destructive way which will be easy
to detect (human nature).
Also most cracks that gain root don't leave wtmp entries around.
It's only access via login (guessed passwords) that does it. I
hope nobody uses easy to guess root passwords, if they do they
deserve being cracked (harsh I know).
Cheers.
-- . +-------------------------------------------------------+
,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au |
/ Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 |
\_,--\_/ | "By the time you make ends meet, they move the ends." |
v +-------------------------------------------------------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006701be0dd4$d5b83680$6cb611cb>