radwtmp
David WU
dyw at bsdos.iohk.com
Fri Mar 7 17:21:26 CET 2008
I found that the first character of login in the logout record of each
login/logout pair missing, as illustrated by the attached file (logins and
host ips changed with an hex editor to anonymize the data). This in
contrast to the local wtmp file.
I discovered this anomaly when I ran a perl script on radwtmp (which was
designed to be ran on wtmp and used to find hackers - strange logins not
found in the local password database).
The native 'last' command operated on radwtmp with normal results, so I
suspect 'last' uses as index the host field instead of the name field.
I am running freeradius-1.1.7 and then freeradius-2.0.1 on FreeBSD
6.3-RELEASE, with the same results.
Best Regards
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radwtmp
Type: application/octet-stream
Size: 352 bytes
Desc:
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080308/c804be9b/attachment.obj>
More information about the Freeradius-Users
mailing list