LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Strange wtmp file (https://www.linuxquestions.org/questions/linux-general-1/strange-wtmp-file-347992/)

ldp 07-29-2005 08:11 AM

Strange wtmp file
 
I check my log to see who logged in lately and got something like this:

root@cthulhu:/var/log# last -n 15
lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in
lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15)
words ify ml Thu Jul 19 20:16 gone - no logout
vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout
ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout
itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout
director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout
ilterwra p esktop Mon Feb 15 03:59 gone - no logout
dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout
sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout
sktop hprovider.de p Tue Sep 12 21:58 gone - no logout
e.deskto a.desktop Thu Mar 9 12:20 gone - no logout
*sr g.png g Tue May 28 19:20 gone - no logout
sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout
g flag.png qa Wed Dec 28 07:06 gone - no logout

wtmp begins Tue Aug 15 07:27:12 1995

=> ? I don't see where all these strange entries come from.
Anybody knows?

thanks.
Lieven

trickykid 07-29-2005 10:07 AM

Perhaps you should enlighten us with more details.. not knowing who's a valid user on your system and displaying wtmp output here, we'd assume all is ok...

And what type of system is this, public server or private (behind firewall), etc?

ldp 07-29-2005 11:21 AM

sorry, this is a private test server that is behind a rtr/fw
For clarity, I don't think there is someone messing around on my system (altough I do not exclude that)
To me, it looks like some program/process/whatever has been writing to my /var/log/wtmp file by error.
Here I listed the last 15 lines with `last -n 15`
And the first two lines are regular logins:

root@cthulhu:/var/log# last -n 15
lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in
lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15)
...

but all the other lines look like rubbish:

...
words ify ml Thu Jul 19 20:16 gone - no logout
vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout
ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout
itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout
director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout
ilterwra p esktop Mon Feb 15 03:59 gone - no logout
dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout
sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout
sktop hprovider.de p Tue Sep 12 21:58 gone - no logout
e.deskto a.desktop Thu Mar 9 12:20 gone - no logout
*sr g.png g Tue May 28 19:20 gone - no logout
sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout
g flag.png qa Wed Dec 28 07:06 gone - no logout

wtmp begins Tue Aug 15 07:27:12 1995

=> even the dates are not chronological like they should be

just strange...

trickykid 07-29-2005 11:26 AM

What programs are running? Is this some kind of development server? How many have physical and remote login access?

ldp 07-31-2005 10:19 AM

This is just my personal self-education server.
I always log in remotely to the ssh daemon. There are only a few other user accounts on this pc. About the programs, I have a ddclient running as daemon, apache2 server with php support, mysqld and that's it. (since I'm mostly occupied with my personal webpage) I don't have xwindows running, not even installed.
But I have two backup scripts running, one that makes a full backup every friday and another one that makes a daily backup of every file that changed in the last 24 hours. The daily bu script has been corrupted or something I guess because when I checked it, I found following text in the file:

(extract)
etc/mtab^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000644^@0000000^@0000000^@000000 00331^@10270136416^@01243
2^@ 0^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ustar ^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000000^@0000000 ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@/dev/hda2 / ext3 rw 0 0
proc /proc proc rw 0 0
/dev/hda3 /home ext3 rw 0 0
/dev/hda4 /usr/local ext3 rw 0 0
devpts /dev/pts devpts rw,gid=5,mode=620 0 0
/dev/hdb1 /mnt/hdb ext3 rw 0 0
usbfs /proc/bus/usb usbfs rw 0 0
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
... and so on for another page.

For some reason it became like that. Originally, it was like:
at first, I also made a backup of the whole /var directory but I removed that because I think that it doesn't made any sense, since It contained a lot of files that don't need to be backupped.

#!/bin/bash

echo "start incremental backup"

if [ ! -d /mnt/hdb/bu ]; then
echo -n "creating bu directory... "
mkdir /mnt/hdb/bu
if [ "$?" -eq 0 ]; then
echo "sucess"
else
echo "failed" >&2
echo "cannot create /mnt/hdb/bu... stop script" >&2
exit 1
fi
fi

day=`date +%u%a%d%m%Y`
touch /mnt/hdb/bu/bulogerr_$day.txt

FILES="/etc,/mnt/hdb/bu/etc_incr_$day.tar
/home,/mnt/hdb/bu/home_incr_$day.tar
/root,/mnt/hdb/bu/root_incr_$day.tar
/usr/local/mysql/var,/mnt/hdb/bu/mysqldb_incr_$day.tar
/usr/local/apache2,/mnt/hdb/bu/apache2_incr_$day.tar"

for fl in $FILES; do
set -- `echo $fl | tr , \ `
echo -n "incremental backup $day : $1 ... "
tar cvf $2 `find $1 -mtime -1 -type f` 1>/mnt/hdb/bu/bulog_$day.txt 2>>/mnt/hdb/bu/bulogerr_$day.txt
if [ "$?" -eq 0 ]; then
echo "sucess"
else
echo "failed"
fi
done

echo "incremental backup $day done"

exit 0

=> I restored the original file now, works ok. (tested) The bu script runs at the same time as the logrotate. maybe it has to do with that? But the wtmp file is only rotated every month as I could see in the config:
...
# Rotate /var/log/wtmp:
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
...

All other log files look intact, none of them has any strange entries like in the wmtp file.

ldp 07-31-2005 10:29 AM

edit: I am the only one with a physical access, there still is a keyboard and screen attached to the pc but they're hardly ever used since it's an old bad screen. However, my cat tries to login on a regular basis but she never even gets the userid right. :-)
There are 7 account that can login but only 1 is regulary used, the others are rarely used and 1 of them are locked in a chroot-cell, they only see their own home directory and only have the bash shell builtin cmds and some other small programs.
All of the accounts belong to friends/family that I personaly know and trust. They sometimes upload some small files, mostly text.

eddiebaby1023 07-31-2005 04:06 PM

Try running fsck and make sure your filesystem hasn't got corrupted.

exvor 07-31-2005 04:24 PM

hmmm looks strange but not compleatly strange.

looks like a security software writing loggin in the wrong area but it would be impossible to tell witch one.

try clearing the log or saving it and then clearing and reboot with init 1
then check what logs are created.


All times are GMT -5. The time now is 03:18 AM.