LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-29-2005, 08:11 AM   #1
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Rep: Reputation: 17
Strange wtmp file


I check my log to see who logged in lately and got something like this:

root@cthulhu:/var/log# last -n 15
lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in
lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15)
words ify ml Thu Jul 19 20:16 gone - no logout
vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout
ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout
itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout
director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout
ilterwra p esktop Mon Feb 15 03:59 gone - no logout
dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout
sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout
sktop hprovider.de p Tue Sep 12 21:58 gone - no logout
e.deskto a.desktop Thu Mar 9 12:20 gone - no logout
*sr g.png g Tue May 28 19:20 gone - no logout
sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout
g flag.png qa Wed Dec 28 07:06 gone - no logout

wtmp begins Tue Aug 15 07:27:12 1995

=> ? I don't see where all these strange entries come from.
Anybody knows?

thanks.
Lieven
 
Old 07-29-2005, 10:07 AM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
Perhaps you should enlighten us with more details.. not knowing who's a valid user on your system and displaying wtmp output here, we'd assume all is ok...

And what type of system is this, public server or private (behind firewall), etc?
 
Old 07-29-2005, 11:21 AM   #3
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Original Poster
Rep: Reputation: 17
sorry, this is a private test server that is behind a rtr/fw
For clarity, I don't think there is someone messing around on my system (altough I do not exclude that)
To me, it looks like some program/process/whatever has been writing to my /var/log/wtmp file by error.
Here I listed the last 15 lines with `last -n 15`
And the first two lines are regular logins:

root@cthulhu:/var/log# last -n 15
lieven pts/0 blueice3n1.uk.ib Fri Jul 29 14:36 still logged in
lieven pts/1 blueice3n1.uk.ib Fri Jul 29 12:45 - 13:00 (00:15)
...

but all the other lines look like rubbish:

...
words ify ml Thu Jul 19 20:16 gone - no logout
vers.men rmation.menu /kde-essential.m Wed Oct 22 18:03 gone - no logout
ppy.desk e.desktop heet.ksp Tue Jul 27 23:24 gone - no logout
itors.di tory ents.directory Wed Feb 2 07:49 gone - no logout
director directory ettings-looknfee Mon Sep 5 21:33 gone - no logout
ilterwra p esktop Mon Feb 15 03:59 gone - no logout
dule.des desktop pareviewpart.des Thu Jul 27 11:31 gone - no logout
sktop prfilter.des rces_plugin.desk Fri Nov 4 21:11 gone - no logout
sktop hprovider.de p Tue Sep 12 21:58 gone - no logout
e.deskto a.desktop Thu Mar 9 12:20 gone - no logout
*sr g.png g Tue May 28 19:20 gone - no logout
sd .png */entry.desktop Thu Dec 29 01:18 gone - no logout
g flag.png qa Wed Dec 28 07:06 gone - no logout

wtmp begins Tue Aug 15 07:27:12 1995

=> even the dates are not chronological like they should be

just strange...
 
Old 07-29-2005, 11:26 AM   #4
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
What programs are running? Is this some kind of development server? How many have physical and remote login access?
 
Old 07-31-2005, 10:19 AM   #5
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Original Poster
Rep: Reputation: 17
This is just my personal self-education server.
I always log in remotely to the ssh daemon. There are only a few other user accounts on this pc. About the programs, I have a ddclient running as daemon, apache2 server with php support, mysqld and that's it. (since I'm mostly occupied with my personal webpage) I don't have xwindows running, not even installed.
But I have two backup scripts running, one that makes a full backup every friday and another one that makes a daily backup of every file that changed in the last 24 hours. The daily bu script has been corrupted or something I guess because when I checked it, I found following text in the file:

(extract)
etc/mtab^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000644^@0000000^@0000000^@000000 00331^@10270136416^@01243
2^@ 0^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ustar ^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@root^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@0000000^@0000000 ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@/dev/hda2 / ext3 rw 0 0
proc /proc proc rw 0 0
/dev/hda3 /home ext3 rw 0 0
/dev/hda4 /usr/local ext3 rw 0 0
devpts /dev/pts devpts rw,gid=5,mode=620 0 0
/dev/hdb1 /mnt/hdb ext3 rw 0 0
usbfs /proc/bus/usb usbfs rw 0 0
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
... and so on for another page.

For some reason it became like that. Originally, it was like:
at first, I also made a backup of the whole /var directory but I removed that because I think that it doesn't made any sense, since It contained a lot of files that don't need to be backupped.

#!/bin/bash

echo "start incremental backup"

if [ ! -d /mnt/hdb/bu ]; then
echo -n "creating bu directory... "
mkdir /mnt/hdb/bu
if [ "$?" -eq 0 ]; then
echo "sucess"
else
echo "failed" >&2
echo "cannot create /mnt/hdb/bu... stop script" >&2
exit 1
fi
fi

day=`date +%u%a%d%m%Y`
touch /mnt/hdb/bu/bulogerr_$day.txt

FILES="/etc,/mnt/hdb/bu/etc_incr_$day.tar
/home,/mnt/hdb/bu/home_incr_$day.tar
/root,/mnt/hdb/bu/root_incr_$day.tar
/usr/local/mysql/var,/mnt/hdb/bu/mysqldb_incr_$day.tar
/usr/local/apache2,/mnt/hdb/bu/apache2_incr_$day.tar"

for fl in $FILES; do
set -- `echo $fl | tr , \ `
echo -n "incremental backup $day : $1 ... "
tar cvf $2 `find $1 -mtime -1 -type f` 1>/mnt/hdb/bu/bulog_$day.txt 2>>/mnt/hdb/bu/bulogerr_$day.txt
if [ "$?" -eq 0 ]; then
echo "sucess"
else
echo "failed"
fi
done

echo "incremental backup $day done"

exit 0

=> I restored the original file now, works ok. (tested) The bu script runs at the same time as the logrotate. maybe it has to do with that? But the wtmp file is only rotated every month as I could see in the config:
...
# Rotate /var/log/wtmp:
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
...

All other log files look intact, none of them has any strange entries like in the wmtp file.
 
Old 07-31-2005, 10:29 AM   #6
ldp
Member
 
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Original Poster
Rep: Reputation: 17
edit: I am the only one with a physical access, there still is a keyboard and screen attached to the pc but they're hardly ever used since it's an old bad screen. However, my cat tries to login on a regular basis but she never even gets the userid right. :-)
There are 7 account that can login but only 1 is regulary used, the others are rarely used and 1 of them are locked in a chroot-cell, they only see their own home directory and only have the bash shell builtin cmds and some other small programs.
All of the accounts belong to friends/family that I personaly know and trust. They sometimes upload some small files, mostly text.
 
Old 07-31-2005, 04:06 PM   #7
eddiebaby1023
Member
 
Registered: May 2005
Posts: 378

Rep: Reputation: 33
Try running fsck and make sure your filesystem hasn't got corrupted.
 
Old 07-31-2005, 04:24 PM   #8
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,483

Rep: Reputation: 66
hmmm looks strange but not compleatly strange.

looks like a security software writing loggin in the wrong area but it would be impossible to tell witch one.

try clearing the log or saving it and then clearing and reboot with init 1
then check what logs are created.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WTMP file pkrishna10 Linux - General 1 11-13-2004 07:47 AM
WTMP - last command EthanB Linux - Security 1 09-14-2004 09:30 PM
Displaying fields in wtmp file? eclapton1 Programming 1 06-26-2004 09:51 PM
utmp, wtmp Xavius Linux - Newbie 3 04-11-2004 08:29 AM
using wtmp Peter Santiago Linux - General 0 01-07-2002 06:15 PM


All times are GMT -5. The time now is 01:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration