[14971] in Hotline Meeting
m2-032-18
daemon@ATHENA.MIT.EDU (ylsul@Athena.MIT.EDU)
Fri Apr 9 11:35:56 1993
From: ylsul@Athena.MIT.EDU
To: op@Athena.MIT.EDU
Cc: hotline@Athena.MIT.EDU, carla@Athena.MIT.EDU, starflt@Athena.MIT.EDU
Date: Fri, 09 Apr 93 11:35:45 EDT
Hi!
I've checked this VAXstation, and it looks like user myev probably compromised
him(her?)self sometime in the past. S/he should have herm passwd changed
as soon as possible. Apart from wtmp logging that myev did indeed login to
this machine, there doesn't seem to be any unseemly changes to m2-032-18.
An aside, user dpolicar has been ftp'ing to this machine. See the end
of the output.
Doesn't look like this machine needs to be reinstalled either.
-y
Output follows:
m2-032-18# last | grep myev
myev ttyv0 :0.0 Thu Apr 8 12:28 - 12:32 (00:03)
m2-032-18# last | wc
425 4227 29610
m2-032-18# last -20
ylsul ttyv0 :0.0 Fri Apr 9 11:15 still logged in
root console Fri Apr 9 11:14 - 11:14 (00:00)
jayant ttyv0 :0.0 Thu Apr 8 18:55 - 08:19 (13:24)
gjnorga ttyv0 :0.0 Thu Apr 8 17:50 - 18:37 (00:46)
ngk ttyv0 :0.0 Thu Apr 8 17:22 - 17:40 (00:17)
tuan ttyv0 :0.0 Thu Apr 8 16:48 - 16:56 (00:08)
boiani ttyv0 :0.0 Thu Apr 8 16:24 - 16:45 (00:21)
delphini ttyv0 :0.0 Thu Apr 8 14:48 - 14:51 (00:02)
jmkohl ttyv0 :0.0 Thu Apr 8 14:29 - 14:39 (00:10)
tuan ttyv0 :0.0 Thu Apr 8 14:05 - 14:10 (00:04)
myev ttyv0 :0.0 Thu Apr 8 12:28 - 12:32 (00:03)
wwong ttyv0 :0.0 Thu Apr 8 10:33 - 10:46 (00:13)
yifen ttyv0 :0.0 Thu Apr 8 10:08 - 10:12 (00:03)
eli ttyv0 :0.0 Thu Apr 8 09:22 - 09:26 (00:03)
service ttyv0 :0.0 Thu Apr 8 08:04 - 08:20 (00:15)
reidmp ttyv0 :0.0 Wed Apr 7 13:02 - 16:32 (03:29)
katiel ttyv0 :0.0 Wed Apr 7 12:16 - 12:23 (00:07)
service ttyv0 :0.0 Wed Apr 7 08:38 - 08:44 (00:05)
sarazion ttyv0 :0.0 Wed Apr 7 07:13 - 07:17 (00:04)
sarazion ttyv0 :0.0 Wed Apr 7 06:24 - 06:30 (00:06)
m2-032-18# track -n -c
-n: what we WOULD do:
using /srvd/usr/athena/lib/slists/sys_rvd as subscription-list
using /srvd/usr/athena/lib/stats/sys_rvd as statfile
cleared lock /tmp/sys_rvd.started
Nothing interesting is in messages.
m2-032-18# cat sulog
Sep 18 18:17:16 m2-032-18 login: ROOT LOGIN console
Sep 18 18:17:23 m2-032-18 shutdown: halt by root:
Nov 18 20:16:27 m2-032-18 login: ROOT LOGIN on tty ttyv0
Jan 5 00:13:55 m2-032-18 login: ROOT LOGIN on tty ttyv0
Jan 5 00:18:20 m2-032-18 login: ROOT LOGIN on tty ttyv0
Jan 15 17:44:30 m2-032-18 su: mike on /dev/ttyp0
Jan 15 17:44:30 m2-032-18 su: successful: mike to root on /dev/ttyp0
Jan 15 17:44:55 m2-032-18 su: mike on /dev/ttyp0
Jan 15 17:44:55 m2-032-18 su: successful: mike to root on /dev/ttyp0
Jan 15 17:45:03 m2-032-18 su: successful: mike to mike on /dev/ttyp0
Jan 15 17:51:15 m2-032-18 su: mike on /dev/ttyp0
Jan 15 17:51:15 m2-032-18 su: successful: mike to root on /dev/ttyp0
Jan 15 17:52:29 m2-032-18 su: successful: mike to mike on /dev/ttyp0
Jan 29 09:56:14 m2-032-18 login: ROOT LOGIN on tty ttyv0
Jan 31 11:17:35 m2-032-18 login: ROOT LOGIN on tty ttyv0
Feb 16 15:04:58 m2-032-18 su: jfbanks on /dev/ttyp0
Feb 16 15:04:58 m2-032-18 su: successful: jfbanks to root on /dev/ttyp0
Apr 9 11:14:31 m2-032-18 login: ROOT LOGIN console
Apr 9 11:17:19 m2-032-18 su: ylsul on /dev/ttyp0
Apr 9 11:17:19 m2-032-18 su: successful: ylsul to root on /dev/ttyp0
m2-032-18# last | grep -v 0.0
reboot ~ Fri Mar 26 12:20
dpolicar ftp M2-032-1.MIT.EDU Mon Mar 15 10:33 - 10:43 (00:10)
dpolicar ftp M2-032-10.MIT.ED Fri Mar 12 21:25 - 21:54 (00:28)
dpolicar ftp M2-032-1.MIT.EDU Tue Mar 9 10:18 - 10:30 (00:12)
reboot ~ Fri Mar 5 09:18
wtmp begins Fri Mar 5 04:14
