lastlog root entry

Mr. Gone · 11-10-2004, 11:13 PM

Hi. The other day I did a 'lastlog' and found an entry like the following:

Code:

root             pts/6    :0.0             Mon Nov 1  23:53:48 +0100 2004

Today the light went out and after I rebooted I did another 'lastlog', and the same entry appeared again. I also saw it with 'last':

Code:

# last -adix
[...]
root     pts/6        Mon Nov 1  23:53 - 23:53  (00:00)     0.0.0.0
[...]

The thing is I've never logged in as root. I have only used 'su' in terminals once logged as a normal user. Besides, on Nov. 1 at 23:53 the system was already running; it had been running for more than two hours since the last reboot that same day.

I also found a related entry with 'utmpdump':

Code:

utmpdump /var/log/wtmp
[...]
[7] [07422] [/6  ] [root    ] [pts/6       ] [:0.0                ] [0.0.0.0        ] 
[Mon Nov 01 23:53:48 2004 CET]
[...]

I haven't found any strange sign or abnormal behaviour lately. I'm using 'iptables' with a script that I think has the system more or less covered. Services are kept to a minimum, and the machine is not a server. 'chkrootkit' and file integrity checks have not triggered any alarm. 'lastb' didn't show anything either.

Where does this entry come from, then?

Any help will be greatly appreciated.

ph34r3d · 11-11-2004, 11:51 AM

If you logged into root you would see that... from what I can see it looks like all 3 times you show are the same login attempt... did you happen to log into root at that specific time???

Mr. Gone · 11-11-2004, 03:07 PM

I've never logged in a session as root. Of course, I've run root shells from my normal user account by means of 'su', but if I'm not mistaken these don't go into 'wtmp'.

Yes, the three logs correspond to the same login attempt. Going into the logs from that day I see that I opened a 'su' shell at 23:48:57, but the time of the logs is 23:53:48.

Also, I've noticed that in the output of 'last' I have another login from Nov. 9, not from root but from my normal user account:

Code:

foobar   :0           Tue Nov  9 15:16 - crash (1+10:53)

But the system was already working that day. I rebooted on Nov. 1 and the machine continued working until there was a light cutoff today (Nov. 11) and I was forced to restart the machine. However, I am almost certain that on Nov. 9 around that time I logged out of KDE and logged in again immediately so that the system could run a bit fresher. Could this be the reason for this last entry? In that line it also says 'crash', even though the system didn't crash at that time...

Any hint regarding these two entries appreciated.