Strange wtmp file
I check my log to see who logged in lately and got something like this:
root@cthulhu:/var/log# last -n 15 lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15) words ify ml Thu Jul 19 20:16 gone - no logout vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout ilterwra p esktop Mon Feb 15 03:59 gone - no logout dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout sktop hprovider.de p Tue Sep 12 21:58 gone - no logout e.deskto a.desktop Thu Mar 9 12:20 gone - no logout *sr g.png g Tue May 28 19:20 gone - no logout sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout g flag.png qa Wed Dec 28 07:06 gone - no logout wtmp begins Tue Aug 15 07:27:12 1995 => ? I don't see where all these strange entries come from. Anybody knows? thanks. Lieven |
Perhaps you should enlighten us with more details.. not knowing who's a valid user on your system and displaying wtmp output here, we'd assume all is ok...
And what type of system is this, public server or private (behind firewall), etc? |
sorry, this is a private test server that is behind a rtr/fw
For clarity, I don't think there is someone messing around on my system (altough I do not exclude that) To me, it looks like some program/process/whatever has been writing to my /var/log/wtmp file by error. Here I listed the last 15 lines with `last -n 15` And the first two lines are regular logins: root@cthulhu:/var/log# last -n 15 lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15) ... but all the other lines look like rubbish: ... words ify ml Thu Jul 19 20:16 gone - no logout vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout ilterwra p esktop Mon Feb 15 03:59 gone - no logout dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout sktop hprovider.de p Tue Sep 12 21:58 gone - no logout e.deskto a.desktop Thu Mar 9 12:20 gone - no logout *sr g.png g Tue May 28 19:20 gone - no logout sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout g flag.png qa Wed Dec 28 07:06 gone - no logout wtmp begins Tue Aug 15 07:27:12 1995 => even the dates are not chronological like they should be just strange... |
What programs are running? Is this some kind of development server? How many have physical and remote login access?
|
This is just my personal self-education server.
I always log in remotely to the ssh daemon. There are only a few other user accounts on this pc. About the programs, I have a ddclient running as daemon, apache2 server with php support, mysqld and that's it. (since I'm mostly occupied with my personal webpage) I don't have xwindows running, not even installed. But I have two backup scripts running, one that makes a full backup every friday and another one that makes a daily backup of every file that changed in the last 24 hours. The daily bu script has been corrupted or something I guess because when I checked it, I found following text in the file: (extract) etc/mtab^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000644^@0000000^@0000000^@000000 00331^@10270136416^@01243 2^@ 0^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ustar ^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000000^@0000000 ^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@/dev/hda2 / ext3 rw 0 0 proc /proc proc rw 0 0 /dev/hda3 /home ext3 rw 0 0 /dev/hda4 /usr/local ext3 rw 0 0 devpts /dev/pts devpts rw,gid=5,mode=620 0 0 /dev/hdb1 /mnt/hdb ext3 rw 0 0 usbfs /proc/bus/usb usbfs rw 0 0 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ ... and so on for another page. For some reason it became like that. Originally, it was like: at first, I also made a backup of the whole /var directory but I removed that because I think that it doesn't made any sense, since It contained a lot of files that don't need to be backupped. #!/bin/bash echo "start incremental backup" if [ ! -d /mnt/hdb/bu ]; then echo -n "creating bu directory... " mkdir /mnt/hdb/bu if [ "$?" -eq 0 ]; then echo "sucess" else echo "failed" >&2 echo "cannot create /mnt/hdb/bu... stop script" >&2 exit 1 fi fi day=`date +%u%a%d%m%Y` touch /mnt/hdb/bu/bulogerr_$day.txt FILES="/etc,/mnt/hdb/bu/etc_incr_$day.tar /home,/mnt/hdb/bu/home_incr_$day.tar /root,/mnt/hdb/bu/root_incr_$day.tar /usr/local/mysql/var,/mnt/hdb/bu/mysqldb_incr_$day.tar /usr/local/apache2,/mnt/hdb/bu/apache2_incr_$day.tar" for fl in $FILES; do set -- `echo $fl | tr , \ ` echo -n "incremental backup $day : $1 ... " tar cvf $2 `find $1 -mtime -1 -type f` 1>/mnt/hdb/bu/bulog_$day.txt 2>>/mnt/hdb/bu/bulogerr_$day.txt if [ "$?" -eq 0 ]; then echo "sucess" else echo "failed" fi done echo "incremental backup $day done" exit 0 => I restored the original file now, works ok. (tested) The bu script runs at the same time as the logrotate. maybe it has to do with that? But the wtmp file is only rotated every month as I could see in the config: ... # Rotate /var/log/wtmp: /var/log/wtmp { monthly create 0664 root utmp rotate 1 } ... All other log files look intact, none of them has any strange entries like in the wmtp file. |
edit: I am the only one with a physical access, there still is a keyboard and screen attached to the pc but they're hardly ever used since it's an old bad screen. However, my cat tries to login on a regular basis but she never even gets the userid right. :-)
There are 7 account that can login but only 1 is regulary used, the others are rarely used and 1 of them are locked in a chroot-cell, they only see their own home directory and only have the bash shell builtin cmds and some other small programs. All of the accounts belong to friends/family that I personaly know and trust. They sometimes upload some small files, mostly text. |
Try running fsck and make sure your filesystem hasn't got corrupted.
|
hmmm looks strange but not compleatly strange.
looks like a security software writing loggin in the wrong area but it would be impossible to tell witch one. try clearing the log or saving it and then clearing and reboot with init 1 then check what logs are created. |
All times are GMT -5. The time now is 03:18 AM. |