Hello friends, I getting scared when I read the following lines on my "last": pep@montblanc:~> last pep pts/1 Sun Feb 2 20:02 still logged in pep pts/0 Sun Feb 2 20:00 still logged in P***(*** ****P***h*** ********P******* Thu Jan 1 01:00 gone - no logout pep pts/2 Sat Feb 1 23:43 - 23:44 (00:00) pep pts/2 Sat Feb 1 23:35 - 23:37 (00:01) pep pts/1 Sat Feb 1 23:34 - 23:44 (00:10) simon pts/0 pooladsl-a-25-7. Sat Feb 1 22:55 - 01:14 (02:19) camio pts/0 Sat Feb 1 20:59 - 21:55 (00:55) P***h*** ****P***(*** ***** Thu Jan 1 01:00 gone - no logout ... Anyone has any idea where does it come from? I'm going to research in detail in every log file. Any suggestions about what to look for? Thanks, Pep.
The last command uses the wtmp file. ( /var/log/wtmp). Unlike utmp, the
wtmp file is written to directly.
The wtmp file seems to have some corrupted entries. This could be the
result of an upgrade where a previous version of wtmp was used. Or, some
process was writing into wtmp.
My suggestion:
Zero the wtmp file. (remove it and touch it). If you see those entries
again try to track down the app that is corrupting it, such as a telnet
or ssh client.
On Sun, 2 Feb 2003 20:10:13 +0100
Pep Serrano
Hello friends,
I getting scared when I read the following lines on my "last":
pep@montblanc:~> last pep pts/1 Sun Feb 2 20:02 still logged in pep pts/0 Sun Feb 2 20:00 still logged in P***(*** ****P***h*** ********P******* Thu Jan 1 01:00 gone - no logout pep pts/2 Sat Feb 1 23:43 - 23:44 (00:00) pep pts/2 Sat Feb 1 23:35 - 23:37 (00:01) pep pts/1 Sat Feb 1 23:34 - 23:44 (00:10) simon pts/0 pooladsl-a-25-7. Sat Feb 1 22:55 - 01:14 (02:19) camio pts/0 Sat Feb 1 20:59 - 21:55 (00:55) P***h*** ****P***(*** ***** Thu Jan 1 01:00 gone - no logout...
Anyone has any idea where does it come from? I'm going to research in detail in every log file. Any suggestions about what to look for?
Thanks, Pep.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Jerry Feldman
Zero the wtmp file. (remove it and touch it).
Why two commands when one suffices? Just do an empty redirect:
/var/log/wtmp
Philipp -- Philipp Thomas work: pthomas@suse.de Development SuSE Linux AG private: pth@t-link.de
On Sun, 02 Feb 2003 23:50:39 +0100
Philipp Thomas
Jerry Feldman
[Sun, 2 Feb 2003 15:14:12 -0500]: Zero the wtmp file. (remove it and touch it).
Why two commands when one suffices? Just do an empty redirect:
/var/log/wtmp That works also.
I hope it's just a corrupted file. The first feeling you get from a bizarre
entry in your "last" is "they're in!" Anyway I keep a big eye open at the
moment.
So, in addition to check every single log line, do you suggest a way to
track who is corrupting the wtmp?
Cheers,
Pep.
----- Original Message -----
From: "Jerry Feldman"
Zero the wtmp file. (remove it and touch it). If you see those entries again try to track down the app that is corrupting it, such as a telnet or ssh client.
I hope it's just a corrupted file. The first feeling you get from a bizarre entry in your "last" is "they're in!" Anyway I keep a big eye open at the moment.
So, in addition to check every single log line, do you suggest a way to track who is corrupting the wtmp? That's not easy. I've actually done that. Compaq's Tru64 Unix changed
On Mon, 3 Feb 2003 15:30:08 +0100
"Pep Serrano"
Alle 17:19, lunedì 3 febbraio 2003, Jerry Feldman ha scritto:
On Mon, 3 Feb 2003 15:30:08 +0100
"Pep Serrano"
wrote: I hope it's just a corrupted file. The first feeling you get from a bizarre entry in your "last" is "they're in!" Anyway I keep a big eye open at the moment.
So, in addition to check every single log line, do you suggest a way to track who is corrupting the wtmp?
That's not easy. I've actually done that. Compaq's Tru64 Unix changed the layout between versions 4 and 5. (I was the guy who actually did that). One of our system admins was complaining that the last command was incorrect on our main server. We tracked the problem to an old version of the ssh daemon. There are only a limited number of utilities that write to wtmp. These are utilities that perform loging and logouts.
There is another one... netdate. Praise
participants (4)
-
Jerry Feldman
-
Pep Serrano
-
Philipp Thomas
-
Praise