Sheldon E. Newhouse
1998-Aug-13 01:58 UTC
summary of replies to [strange stuff in 'last' command]
Sheldon E. Newhouse writes: > Anyone have ideas on what this output from the 'last' command means? > > TIA, > -sen > > xF*@**** otify ***@ Sat Aug 1 20:52 still logged in > xF*@**** otify ***@ Sat Aug 1 20:52 - 20:52 (00:00) > xF*@**** otify ***@ Sat Aug 1 20:52 - 20:52 (00:00) > xF*@**** otify ***@ Sat Aug 1 20:52 - 20:52 (00:00) > xF*@**** otify ***@ Sat Aug 1 20:52 - 20:52 (00:00) > Thanks to all who replied. The culprit seems to have been incompatibilities in utmp/wtmp between glibc and libc-5, and not the result of a hacker invading my system. Many sent similar responses, so I am forwarding just a few of those which were different from each other. -sen ******************* From: "Charles R. Anderson" <cra@WPI.EDU> This is the result of a bug in xterm from XFree86-3.3.2. I submitted a patch to XFree86 and redhat about a month ago, so this should hopefully be fixed soon. The problem is xterm is not clearing utmp properly on exit. sen1> others notice this strange output of 'last?' Is this a security issue or sen1> more likely just growing pains for utmp and glibc? There is no major security problem that I am aware of, however you could consider incorrect wtmp logging a security problem. ****************** From: Dave Cinege <dcinege@psychosis.com> libc6 and libc5 use different utmp formats. If you run a libc6 (libc5) system and use libc5 (libc6) apps that touch utmp or wtmp it will cause corruption. OTOH Debian 2.0's libc5 is patched with a wrapper function for the new utmp format. You could get a hold if that if you are unable to upgrade the offending app to glibc. I'd recommend just installing Debian instead. : > From: Paul Carpenter <paul@dodgenet.com> I saw this same problem going from a Slakware system to RH5.0. I repaced my SSH with an updated one and the problem went away. The old version didn't use PAM and the new one does but I never looked into it any further. ****************** From:Jaakko.Hyvatti@iki.fi glibc-based system has different format in utmp and wtmp than libc-5-based system. You have some applications in your system that update utmp and/or wtmp, but which are compiled with libc-5 or even which do not use library functions to update those files. Find them and recompile or fix them. ****************** From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> who dumps utmp, last dumps wtmp> Reboots stop the problem for awhile but then it reappears.reboot resets utmp...> I also read that glibc has sometimes produced corruption in utmp. Do > others notice this strange output of 'last?' Is this a security issue > or > more likely just growing pains for utmp and glibc?the format of utmp and wtmp in glibc2 aka libc6 is different from the format used in libc5 (which forked off glibc1 long time ago) this is not a real security issue (but it could have security ramifications like any other problem) your wtmp seems to be corrupted (mixed formats), the easiest "fix" is to erase the contents of /var/log/wmtp (the proper remedy would be to separate a part in the old format and the part in the new format, and convert the old part into the new format but) but before changing any files, make sure all programs using utmp and wtmp (last, who, w, login, xterm...) are based on glibc2 (ldd program)