Re: User logins not appearing in wtmp?

[francis picabia <fpicabia@gmail.com>]

On Wed, Jun 6, 2012 at 1:14 PM, Camaleón <noelamac@gmail.com> wrote:
> On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote:
>
>> Today I see from logwatch report 28 sshd logins from one user at an IP
>> address in a different continent than usually seen here.
>>
>> When I look up this user with last command to see if this is part of a
>> travel pattern or perhaps their account is compromised, I don't get any
>> matches. I've used last and last -f /var/log/wtmp.1 with the user name
>> and there are no matches.
>
> OpenSSH logins fall under "/var/log/auth*" logs.
>
>> Yet finger shows a login from Apr 24, which jives with their last
>> .bash_history update
>>
>> One way this could happen is by use of sftp/scp.  Is there a way to get
>> last to record these sessions as well?
>
> Mmm... any specific reason for wanting these logs available within
> wtmp? :-?

The natural thing to do when checking for last access is to use
the last command.  However, last shows no access for the
compromised account mentioned in the other thread.
The hackers use scp/sftp to remain under the radar.
It would be preferable if last did show scp/sftp sessions,
as this stage is when the hackers spend some days
investigating what they can do as the regular user.
I'd imagine the shell login would be used only when they
have some major action to undertake.