Re: User logins not appearing in wtmp?

[Camaleón <noelamac@gmail.com>]

On Wed, 06 Jun 2012 14:07:38 -0300, francis picabia wrote:

> On Wed, Jun 6, 2012 at 1:14 PM, Camaleón <noelamac@gmail.com> wrote:

(...)

>>> One way this could happen is by use of sftp/scp.  Is there a way to
>>> get last to record these sessions as well?
>>
>> Mmm... any specific reason for wanting these logs available within
>> wtmp? :-?
> 
> The natural thing to do when checking for last access is to use the last
> command.  However, last shows no access for the compromised account
> mentioned in the other thread. The hackers use scp/sftp to remain under
> the radar. It would be preferable if last did show scp/sftp sessions, as
> this stage is when the hackers spend some days investigating what they
> can do as the regular user. I'd imagine the shell login would be used
> only when they have some major action to undertake.

Well, when using virtual users (i.e., users with no shell access) the 
usual is looking at log file for the application that records the logins. 
For openssh these are "/var/log/auth.log.*" files and I don't know if 
there's a way for sending them to the wtmp facility.

Greetings,

-- 
Camaleón