[14840] in Hotline Meeting
Foul play???
daemon@ATHENA.MIT.EDU (zchi@Athena.MIT.EDU)
Sun Apr 4 18:33:39 1993
From: zchi@Athena.MIT.EDU
Date: Sun, 4 Apr 93 18:33:31 -0400
To: hotline@Athena.MIT.EDU
Hi, I left a message on your answering machine. It's about a
workstation in Cluster e51-007. The workstation name is e51-007-2.
I first noticed that finger shows *no one logged on*.
I got concerned. Then I did "ls -l /etc/utmp" and here's what I got.
lrwxrwxr-x 1 root 9 Mar 30 23:30 /etc/utmp@ -> /dev/null
This is a foul play for sure, isnt' it?
Then I did "last -20" and here's what I got:
zchi ttyqf :0.0 Sun Apr 4 17:35 still logged in
padmanab ttyqf :0.0 Sun Apr 4 16:42 - 17:35 (00:53)
lfm ttyp0 :0.0 Sun Apr 4 15:10 still logged in
apk ttyqf :0.0 Sun Apr 4 12:29 - 16:42 (04:12)
kimk ttyqf :0.0 Sun Apr 4 04:09 - 12:29 (08:20)
apk ttyqf :0.0 Sat Apr 3 20:14 - 04:09 (06:54)
apk ttyqf :0.0 Sat Apr 3 12:16 - 20:14 (07:57)
marx ttyqf :0.0 Sat Apr 3 03:44 - 12:16 (08:32)
wools ttyqf :0.0 Sat Apr 3 01:50 - 03:44 (01:53)
fikhatri ttyqf :0.0 Fri Apr 2 23:14 - 01:50 (02:36)
stuball ttyqf :0.0 Fri Apr 2 14:05 - 23:14 (09:09)
adamek ttyqf :0.0 Fri Apr 2 12:56 - 14:05 (01:08)
ndibongo ttyqf :0.0 Fri Apr 2 12:27 - 12:56 (00:29)
coe ttyqf :0.0 Fri Apr 2 12:04 - 12:27 (00:22)
wdempsey ttyqf :0.0 Fri Apr 2 11:04 - 12:04 (01:00)
xiaoming ttyqf :0.0 Fri Apr 2 10:16 - 11:04 (00:48)
raman ttyqf :0.0 Thu Apr 1 23:06 - 10:16 (11:09)
wools ttyqf :0.0 Thu Apr 1 22:41 - 23:06 (00:25)
chappy ttyqf :0.0 Thu Apr 1 20:21 - 22:41 (02:19)
dstoljar ttyqf :0.0 Thu Apr 1 15:37 - 20:21 (04:44)
This lfm guy caught my eyes. He's apparently doing remote log in. I
am not sure if it is he who linked the /etc/utmp file to /dev/null.
But I strongly suspect he's playing around.
-- Zhihang Chi
