7 Mar
2008
7 Mar
'08
11:21 a.m.
I found that the first character of login in the logout record of each login/logout pair missing, as illustrated by the attached file (logins and host ips changed with an hex editor to anonymize the data). This in contrast to the local wtmp file. I discovered this anomaly when I ran a perl script on radwtmp (which was designed to be ran on wtmp and used to find hackers - strange logins not found in the local password database). The native 'last' command operated on radwtmp with normal results, so I suspect 'last' uses as index the host field instead of the name field. I am running freeradius-1.1.7 and then freeradius-2.0.1 on FreeBSD 6.3-RELEASE, with the same results. Best Regards David