https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648394#M742296 What is the file used to store the last login information about the user in HP-UX? (An alternate to /var/adm/lastlog in UNIX ) Thu, 13 Oct 2005 03:09:41 GMT Priya_5 2005-10-13T03:09:41Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648394#M742296 What is the file used to store the last login information about the user in HP-UX? (An alternate to /var/adm/lastlog in UNIX ) Thu, 13 Oct 2005 03:09:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648394#M742296 Priya_5 2005-10-13T03:09:41Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648395#M742297 /var/adm/wtmp which contains a record of all logins and logouts..<BR /><BR />-Arun Thu, 13 Oct 2005 03:12:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648395#M742297 Arunvijai_4 2005-10-13T03:12:19Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648396#M742298 Successful login informations are stored with /var/adm/utmp and bad login informations are stored in /var/adm/btmp.<BR /><BR />hth. Thu, 13 Oct 2005 03:14:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648396#M742298 Muthukumar_5 2005-10-13T03:14:11Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648397#M742299 It is /var/adm/wtmp not /var/adm/utmp :(<BR /><BR />hth. Thu, 13 Oct 2005 03:14:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648397#M742299 Muthukumar_5 2005-10-13T03:14:56Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648398#M742300 login service is storing into,<BR /><BR /> /var/adm/btmp History of bad login attempts<BR /> /var/adm/wtmp History of logins, logouts, and date changes<BR /><BR /><BR />To audit this you can use last / lastb. However, if you are having any different file then, use last or lastb with -f option as,<BR /><BR />Example:<BR /><BR /> # last -f /tmp/successlogin<BR /> # lastb -f /tmp/badlogin<BR /><BR />hth. Thu, 13 Oct 2005 03:18:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648398#M742300 Muthukumar_5 2005-10-13T03:18:19Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648399#M742301 For more information, <BR /># man last or man lastb <BR /><BR />-Arun Thu, 13 Oct 2005 03:22:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648399#M742301 Arunvijai_4 2005-10-13T03:22:09Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648400#M742302 Did you get answer for this? Is it /var/adm/wtmp file?<BR /><BR />I hope you are a newbie here. If the answer is correct then assign appropriate points.<BR /><BR />See this:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/helptips.do?#33" target="_blank">http://forums1.itrc.hp.com/service/forums/helptips.do?#33</A><BR /><BR />Every one in ITRC is great one and spending their time to share their GREAT technical skills to solve problem. ( I did not mean that it is me :)) ) <BR /><BR />Keep posting questions and assign points :)<BR /><BR />thx. Thu, 13 Oct 2005 04:16:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648400#M742302 Muthukumar_5 2005-10-13T04:16:29Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648401#M742303 Thanx for ur valuable info (also for the point assignment link) MuthuKumar... <BR /><BR />The answer you people gave helped me a little bit. Thank u very much. Thu, 13 Oct 2005 05:27:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648401#M742303 Priya_5 2005-10-13T05:27:17Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648402#M742304 I would like to thank Muthukumar for his spl efforts in teaching the formalities...<BR /><BR />In between I am sorry. As MuthuKumar said, I donot know anything about assigning points. Please donot reject my questions in the future for this issue.<BR /><BR /> Thu, 13 Oct 2005 05:33:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648402#M742304 Priya_5 2005-10-13T05:33:31Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648403#M742305 Priya, <BR />&gt;The answer you people gave helped me a little bit. Thank u very much.<BR /><BR />Please try to post full problem, so that we can discuss further in ITRC. <BR /><BR />-Arun <BR /><BR /> Thu, 13 Oct 2005 06:20:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648403#M742305 Arunvijai_4 2005-10-13T06:20:30Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648404#M742306 I am trying to use chkrootkit. There is a file named chklastlog.c where there is a hard code which refers the variable /usr/adm/lastlog. <BR />------------------------------------------<BR />#ifdef __FreeBSD__<BR />#define WTMP_FILENAME "/var/log/wtmp"<BR />#define LASTLOG_FILENAME "/var/log/lastlog"<BR />#endif<BR />#ifdef __OpenBSD__<BR />#define WTMP_FILENAME "/var/log/wtmp"<BR />#define LASTLOG_FILENAME "/var/log/lastlog"<BR />#endif<BR />#ifndef WTMP_FILENAME<BR />#define WTMP_FILENAME "/var/adm/wtmp"<BR />#endif<BR />#ifndef LASTLOG_FILENAME<BR />#define LASTLOG_FILENAME "/var/adm/lastlog"<BR />#endif<BR /> .<BR /> .<BR /> .<BR /><BR />Sinece there is no such file in hp-ux I need to replace a suitable file for that. Which one can I use? Is there any possibility to replace that? If I use /var/adm/wtmp as you people mentioned, I get irrelevant output.<BR /><BR />Thanx in Advance Thu, 13 Oct 2005 07:04:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648404#M742306 Priya_5 2005-10-13T07:04:44Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648405#M742307 Is it something like, <BR />#ifdef __HPUX__<BR />#ifndef WTMP_FILENAME "/var/adm/wtmp"<BR />#define WTMP_FILENAME "/var/adm/wtmp"<BR />#endif<BR /><BR />What output you get ? <BR /><BR />-Arun Thu, 13 Oct 2005 07:12:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648405#M742307 Arunvijai_4 2005-10-13T07:12:38Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648406#M742308 # ./chklastlog<BR />user root deleted or never logged from lastlog!<BR />user shyam deleted or never logged from lastlog!<BR />user rita deleted or never logged from lastlog!<BR />user reghu deleted or never logged from lastlog!<BR />user pranesh deleted or never logged from lastlog!<BR />user f deleted or never logged from lastlog!<BR />user rama deleted or never logged from lastlog!<BR />user kavitha deleted or never logged from lastlog!<BR />user deepa deleted or never logged from lastlog!<BR /><BR /><BR />I'am very much cruious to know what is the exact content of the files /var/adm/lastlog and /var/adm/wtmp. <BR /><BR />If these contents differs, can the entries in wtmp file really replace lastlog entries.<BR /><BR />Is this trial correct?<BR /> Fri, 14 Oct 2005 01:48:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648406#M742308 Priya_5 2005-10-14T01:48:54Z https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648407#M742309 You can try this, <BR /># cat /var/adm/wtmp | /usr/sbin/acct/fwtmp |more<BR /><BR />Also <BR />man wtmp<BR />man btmp<BR />man utmp<BR /><BR />should help. /var/adm/lastlog is not applicable to HP-UX.. <BR /><BR />-Arun Fri, 14 Oct 2005 01:55:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/chkrootkit-lastlog/m-p/3648407#M742309 Arunvijai_4 2005-10-14T01:55:20Z