HPE Community
Operating System - HP-UX
1847860 Members
3802 Online
104021 Solutions
New Discussion

telnet log?

 
SOLVED
Go to solution
lawrenzo_1
Super Advisor

‎05-17-2005 08:32 AM

‎05-17-2005 08:32 AM

telnet log?

Hello,

I am working a request for a user who wish's to know if anyone has killed any process on a server (hp100)

I logged onto hp100 and checked the lastb -R command to see who was logged on at the time stated. There was an oracle user on the system at that time.

The sh_history file has no kill commnad for the oracle user.

the lastb command shows that the oracle user logged on from hp101.

How can I find out who telnet to hp100 from hp101 at a known time?

Many Thanks.

Lawzo
hello
0 Kudos
8 REPLIES 8
Tony Scully_2
Valued Contributor

‎05-17-2005 08:38 AM

‎05-17-2005 08:38 AM

Re: telnet log?

You can log telnet sessions by running inetd with the -l option on, but this will only help you in the future. No way of tracing back I think.

Tony
You CAN do that on HP
0 Kudos
Ian Kidd_1
Trusted Contributor

‎05-17-2005 12:19 PM

‎05-17-2005 12:19 PM

Solution

Re: telnet log?

lastb is for failed or "bad" login attempts. `last -R` would show successful logins. if nothing shows up in their shell history, perhaps they then used `su` to switch to another user? you can check /var/adm/syslog/syslog.log and see if that happened. otherwise, the only way at this point that I can see is to start "backtracking" - doing research on hp101 (checking last and syslog.log) and seeing where this will lead you. it'll be pretty tedius
If at first you don't succeed, go to the ITRC
0 Kudos
lawrenzo_1
Super Advisor

‎05-17-2005 01:25 PM

‎05-17-2005 01:25 PM

Re: telnet log?

ok so I run last -R and I don't get the information for the date required:

message is

wtmp degins Tue May 17 04:00

how do I view preivous logins?

Thanks
hello
0 Kudos
Joseph Loo
Honored Contributor

‎05-17-2005 02:06 PM

‎05-17-2005 02:06 PM

Re: telnet log?

hi,

as the others have mentioned, unless u have turn on logging for telnet connections in /var/adm/syslog/syslog.log (by using "-l" option in INETD_ARGS in /etc/rc.config.d/netdaemon) or from /var/adm/btmp (bad login) and /var/adm/utmp (logins), u will not be able to view who have log on before.

just like to know what is the permission granted for the 2 login attempt files:

# ll /var/adm/*tmp


regard.
what you do not see does not mean you should not believe
0 Kudos
lawrenzo_1
Super Advisor

‎05-17-2005 02:34 PM

‎05-17-2005 02:34 PM

Re: telnet log?

root:/var/adm # ll /var/adm/*tmp
-rw------- 1 root other 183120 May 17 21:05 /var/adm/btmp
-rw-r--r-- 1 adm adm 391 May 12 02:04 /var/adm/dtmp
-rw-rw-r-- 1 adm adm 3600 May 18 02:22 /var/adm/wtmp

how do I view previous login attemtps prior to the info in the latest wtmp

Thanks man
hello
0 Kudos
Joseph Loo
Honored Contributor

‎05-17-2005 02:54 PM

‎05-17-2005 02:54 PM

Re: telnet log?

hi,

the permission granted for the login attempts files looks alright. except what is /var/adm/dtmp?

the thing is that wtmp (logins) was probably "null" and thus your chances of finding who login on which day/time is quite slim judging from the size of that file.

btw, user may execute script with the kill command thus .sh_history may not necessary show up that command.

regards.
what you do not see does not mean you should not believe
0 Kudos
Patrick Wallek
Honored Contributor

‎05-17-2005 03:16 PM

‎05-17-2005 03:16 PM

Re: telnet log?

The only way to view older logins is to restore wtmp from a backup.

Restore it to a different directory and then use fwtmp (I think) to convert the wtmp binary file into a regular readable text file.

Check the man page of fwtmp for details.
0 Kudos
lawrenzo_1
Super Advisor

‎05-17-2005 03:27 PM

‎05-17-2005 03:27 PM

Re: telnet log?

Thnaks all, I have located the required file as we have house keeping script that makes a copy.
hello
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.