Deleting a line in wtmp file

yashfire007 · 01-26-2013, 12:41 AM

Dear all,
Please tell me how to delete a line from wtmp file in /var/log/wtmp..
If i tried to view the file wtmp, it is in encrypted mode..

shivaa · 01-26-2013, 12:53 AM

It's not a text file but data type file, so prehaps removing one line isn't possible, but you can wipe it out:-

Code:

~$ file /var/log/wtmp
~$ last -f wtmp
~$ cat /dev/null > /var/log/wtmp

yashfire007 · 01-26-2013, 12:57 AM

Sorry dear, Actually i know to empty the file.
But what i need is, to delete a single line in that file...

jschiwal · 01-26-2013, 03:42 AM

Why do you want to edit wtmp?

http://linux.about.com/library/cmd/blcmdl5_wtmp.htm

Quote:

Warning: utmp must not be writable, because many system programs (foolishly) depend on its integrity. You risk faked system logfiles and modifications of system files if you leave utmp writable to any user.

utmp is a binary file whose structure is given in the utmp.h include file for your version of utmp.h.

unSpawn · 01-26-2013, 07:09 AM

Quote:

Originally Posted by jschiwal

Why do you want to edit wtmp?

Now that is the right question!

jpollard · 01-26-2013, 01:28 PM

utmp/wtmp is not supposed to be edited as it is a log of activity. Entries are created by privileged applications (by writing a partial record) then the record is completed with the application terminates.

Partial records imply that something significant happened that wasn't supposed to happen.

utmp/wtmp is also not exactly a reliable file - it only records terminal use (including X server and logins). But the records for gdm are almost always wrong (it puts entries in, but doesn't necessarily close them properly).

yashfire007 · 01-26-2013, 10:24 PM

Why i need the answer is because one of my friend knew the answer for this question.
He knew how to delete a single line from wtmp though it is a binary file.
He just challenged me to get the answer? But am trying a lot, even i cannot able to read the file..
Yes i know it is a critical file, but please tell me the solution for this. How to see and delete a single line which we wish to delete in wtmp.

rknichols · 01-26-2013, 11:10 PM

There is a manpage for wtmp that shows the structure of the records in that file. The rest is up to you.

jpollard · 01-27-2013, 06:35 AM

After looking up the structure, all you really need to do is use dd, and appropriate bye offsets.

postcd · 03-05-2016, 01:25 PM

There seems to be tools made to modify wtmp: https://packetstormsecurity.com/UNIX...on/log-wipers/

jpollard · 03-05-2016, 03:09 PM

Quote:

Originally Posted by yashfire007

Why i need the answer is because one of my friend knew the answer for this question.
He knew how to delete a single line from wtmp though it is a binary file.
He just challenged me to get the answer? But am trying a lot, even i cannot able to read the file..
Yes i know it is a critical file, but please tell me the solution for this. How to see and delete a single line which we wish to delete in wtmp.

It is not a critical file. If it is deleted, a new one would get created.

It is used sometimes for accounting purposes, but even there, it isn't absolutely critical. It is only used
to collect a sequence of process accounting records into single "job".

Look at the manpage for wtmp. it is a random access file, and rather easily tampered with for the system admin.