HPE Community
Operating System - HP-UX
1847858 Members
2726 Online
104021 Solutions
New Discussion

Re: chkrootkit lastlog

 
Priya_5
Occasional Advisor

‎10-12-2005 08:09 PM

‎10-12-2005 08:09 PM

chkrootkit lastlog

What is the file used to store the last login information about the user in HP-UX? (An alternate to /var/adm/lastlog in UNIX )
0 Kudos
Reply
13 REPLIES 13
Arunvijai_4
Honored Contributor

‎10-12-2005 08:12 PM

‎10-12-2005 08:12 PM

Re: chkrootkit lastlog

/var/adm/wtmp which contains a record of all logins and logouts..

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎10-12-2005 08:14 PM

‎10-12-2005 08:14 PM

Re: chkrootkit lastlog

Successful login informations are stored with /var/adm/utmp and bad login informations are stored in /var/adm/btmp.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎10-12-2005 08:14 PM

‎10-12-2005 08:14 PM

Re: chkrootkit lastlog

It is /var/adm/wtmp not /var/adm/utmp :(

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎10-12-2005 08:18 PM

‎10-12-2005 08:18 PM

Re: chkrootkit lastlog

login service is storing into,

/var/adm/btmp History of bad login attempts
/var/adm/wtmp History of logins, logouts, and date changes


To audit this you can use last / lastb. However, if you are having any different file then, use last or lastb with -f option as,

Example:

# last -f /tmp/successlogin
# lastb -f /tmp/badlogin

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎10-12-2005 08:22 PM

‎10-12-2005 08:22 PM

Re: chkrootkit lastlog

For more information,
# man last or man lastb

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎10-12-2005 09:16 PM

‎10-12-2005 09:16 PM

Re: chkrootkit lastlog

Did you get answer for this? Is it /var/adm/wtmp file?

I hope you are a newbie here. If the answer is correct then assign appropriate points.

See this:

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Every one in ITRC is great one and spending their time to share their GREAT technical skills to solve problem. ( I did not mean that it is me :)) )

Keep posting questions and assign points :)

thx.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Priya_5
Occasional Advisor

‎10-12-2005 10:27 PM

‎10-12-2005 10:27 PM

Re: chkrootkit lastlog

Thanx for ur valuable info (also for the point assignment link) MuthuKumar...

The answer you people gave helped me a little bit. Thank u very much.
0 Kudos
Reply
Priya_5
Occasional Advisor

‎10-12-2005 10:33 PM

‎10-12-2005 10:33 PM

Re: chkrootkit lastlog

I would like to thank Muthukumar for his spl efforts in teaching the formalities...

In between I am sorry. As MuthuKumar said, I donot know anything about assigning points. Please donot reject my questions in the future for this issue.

0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎10-12-2005 11:20 PM

‎10-12-2005 11:20 PM

Re: chkrootkit lastlog

Priya,
>The answer you people gave helped me a little bit. Thank u very much.

Please try to post full problem, so that we can discuss further in ITRC.

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Priya_5
Occasional Advisor

‎10-13-2005 12:04 AM

‎10-13-2005 12:04 AM

Re: chkrootkit lastlog

I am trying to use chkrootkit. There is a file named chklastlog.c where there is a hard code which refers the variable /usr/adm/lastlog.
------------------------------------------
#ifdef __FreeBSD__
#define WTMP_FILENAME "/var/log/wtmp"
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifdef __OpenBSD__
#define WTMP_FILENAME "/var/log/wtmp"
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifndef WTMP_FILENAME
#define WTMP_FILENAME "/var/adm/wtmp"
#endif
#ifndef LASTLOG_FILENAME
#define LASTLOG_FILENAME "/var/adm/lastlog"
#endif
.
.
.

Sinece there is no such file in hp-ux I need to replace a suitable file for that. Which one can I use? Is there any possibility to replace that? If I use /var/adm/wtmp as you people mentioned, I get irrelevant output.

Thanx in Advance
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎10-13-2005 12:12 AM

‎10-13-2005 12:12 AM

Re: chkrootkit lastlog

Is it something like,
#ifdef __HPUX__
#ifndef WTMP_FILENAME "/var/adm/wtmp"
#define WTMP_FILENAME "/var/adm/wtmp"
#endif

What output you get ?

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Priya_5
Occasional Advisor

‎10-13-2005 06:48 PM

‎10-13-2005 06:48 PM

Re: chkrootkit lastlog

# ./chklastlog
user root deleted or never logged from lastlog!
user shyam deleted or never logged from lastlog!
user rita deleted or never logged from lastlog!
user reghu deleted or never logged from lastlog!
user pranesh deleted or never logged from lastlog!
user f deleted or never logged from lastlog!
user rama deleted or never logged from lastlog!
user kavitha deleted or never logged from lastlog!
user deepa deleted or never logged from lastlog!


I'am very much cruious to know what is the exact content of the files /var/adm/lastlog and /var/adm/wtmp.

If these contents differs, can the entries in wtmp file really replace lastlog entries.

Is this trial correct?
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎10-13-2005 06:55 PM

‎10-13-2005 06:55 PM

Re: chkrootkit lastlog

You can try this,
# cat /var/adm/wtmp | /usr/sbin/acct/fwtmp |more

Also
man wtmp
man btmp
man utmp

should help. /var/adm/lastlog is not applicable to HP-UX..

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.