THE LOGS

There are 3 important log files:

WTMP - every log on/off, with login/logout time plus tty and host

UTMP - who is online at the moment

LASTLOG - where did the logins come from

Every login via telnet, ftp, rlogin and on some systems rsh are written to these logs. It is VERY important that you delete yourself from those logfiles if you are hacking because otherwise they

a) can see when did you do the hacking exactly

b) from which site you came

c) how long you were online and can calculate the impact

NEVER DELETE THE LOGS!

It's the easiest way to show the admin that
a hacker was on the machine. Get a good program to modify the logs.
ZAP (or ZAP2) is often mentioned as the best - but in fact it isn't.
All it does is overwriting the last login-data of the user with zeros.
CERT already released simple programs which check for those zero'ed
entries. So thats an easy way to reveil the hacker to the admin too.
He'll know someone hacked root access and then all you work was worthless.
Another important thing about zap is that it don't report if it can't
find the log files - so check the paths first before compiling!
Get either a program which CHANGES the data (like CLOAK2) or a really
good one which DELETES the entries (like CLEAR).


Normally you must be root to modify the logs (except for old distributions
which have got utmp and wtmp world-writable). But what if you didn't
made it hacking root - what can you do? Not very much :
Do a rlogin to the computer you are on, to add a new unsuspicous LASTLOG
data which will be displayed to the owner when he logs on next time.
So he won't get suspicious if he sees "localhost".
Many unix distributions got a bug with the login command. When you
execute it again after you logged already on, it overwrites the
login-from field in the UTMP (which shows the host you are coming
from!) with your current tty.

Where are these log files by default located?
That depends on the unix distribution.
UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
on some old unix dists the lastlog data is written into $HOME/.lastlog