by Peter Beckm » Thu, 01 Aug 1996 04:00:00
I want to know if there is some code out there that allows you to parse
through the wtmp entries (and utmp if it's the same format) and delete or
add entries at will. If so, please mail it to me (and post it, as others
may be interested) with comments if possible.
Thanks!
Peter
--
Peter Beckman Independent Consultant
by Andru Luvi » Thu, 01 Aug 1996 04:00:00
: I want to know if there is some code out there that allows you to parse
: through the wtmp entries (and utmp if it's the same format) and delete or
: add entries at will. If so, please mail it to me (and post it, as others
: may be interested) with comments if possible.
if you have write access to utmp, it's not difficult... it's a sequential
file of fixed length records of type struct utmp... man utmp to see
it's makeup...
andru
by Scott G. Ha » Fri, 02 Aug 1996 04:00:00
[I trimmed the newsgroup list quite a bit, but it is still long..]
>if you have write access to utmp, it's not difficult... it's a sequential
>file of fixed length records of type struct utmp... man utmp to see
>it's makeup...
getutent(), getutid(), getutline(), pututline(), setutent(),
endutent(), utmpname() - access utmp file entry
#include <utmp.h>
Check the man page under: getut
--
"It was our last, best hope for peace -- it failed. | Scott G. Hall
Now it's our last best hope." (Babylon-5 opener) | Lucent Technologies
----------------------------------------------------------| Bell Labs - BCS
by Birger Bli » Tue, 06 Aug 1996 04:00:00
>Thanks!
>Peter
>--
>Peter Beckman Independent Consultant
To clean all old entrys from wtmp , copy utmp to wtmp.
--
--
UAB/Z/IP, Unix Systems Mgmt Phone: +46 8 7274183
Ericsson AXE Research and Development, Armborstv 14, S-125 25 Alvsjo, Sweden
--
by J.J.Farre » Wed, 07 Aug 1996 04:00:00
>if you have write access to utmp, it's not difficult... it's a sequential
>file of fixed length records of type struct utmp... man utmp to see
>it's makeup...
My opinions; I do not speak for my employer.
by Ajay Kumar Gumma » Thu, 08 Aug 1996 04:00:00
I have written programs in C, that remove the desired entries from the utmp and wtmp files. If you want a copy of the same, email me.
bye
. . . . .
Ajay
by Marcus J. Ran » Fri, 09 Aug 1996 04:00:00
Do an alta vista search for "cloak.c" which has code
for clearing utmp and wtmp entries.
mjr.
--
Chief Scientist, V-ONE Corporation -- "Security for a connected world"
work http://www.v-one.com
personal http://www.clark.net/pub/mjr/mjr-top.html
by Richard C. Gaine I » Fri, 09 Aug 1996 04:00:00
The following is for Solaris2. It takes a username as an argument andQuote:> Do an alta vista search for "cloak.c" which has code
>for clearing utmp and wtmp entries.
>mjr.
>--
>Chief Scientist, V-ONE Corporation -- "Security for a connected world"
>work http://www.v-one.com
>personal http://www.clark.net/pub/mjr/mjr-top.html
rick
#include <stdio.h>
#include <fcntl.h>
#include <utmpx.h>
#include <utmp.h>
#include <lastlog.h>
#include <pwd.h>
void kill_tmp(char *, char *);
void kill_tmpx(char *, char *);
void kill_lastlog(char *, char *);
int f;
char buf[40];
main(int argc, char **argv)
{
if (argc!=2)
{
puts("Error!");
exit(1);
}
kill_tmp(UTMP_FILE,*(argv +1));
kill_tmp(WTMP_FILE,*(argv +1));
kill_tmpx(UTMPX_FILE,*(argv +1));
kill_tmpx(WTMPX_FILE,*(argv +1));
kill_lastlog("/var/adm/lastlog",*(argv +1));
void kill_tmp(char *name, char *who)Quote:}
if ((f=open(name,O_RDWR))>=0)
{
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who)))
{
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
else
{
sprintf(buf,"write %s",name);
perror(buf);
}
void kill_tmpx(char *name, char *who)Quote:}
if ((f=open(name,O_RDWR))>=0)
{
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_user,who,strlen(who)))
{
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
else
{
sprintf(buf,"write %s",name);
perror(buf);
}
void kill_lastlog(char *name, char *who)Quote:}
if ((pwd=getpwnam(who))==NULL)
{
printf("Can't get user info for %s in /etc/passwd\n",who);
printf("lastlog not changed.\n");
return;
}
if ((f=open(name, O_RDWR)) >= 0)
{
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
else
{
sprintf(buf,"write %s",name);
perror(buf);
}
Quote:}
by Wes Fel » Mon, 12 Aug 1996 04:00:00
Neither "cloak.c" nor rick's code worked for my SunOS 4.1.3 UNIX, but aQuote:> The following is for Solaris2. It takes a username as an argument and
> removes all entries from [uw]tmp [uw]tmpx and lastlog.
> rick
-Wes
by Thomas H. Ptac » Tue, 13 Aug 1996 04:00:00
Thus proving a point that's been understood amongst Unix professionals forQuote:>that I had ever been on the system. After entering "Zap UserName", the
>program took all records in utmp, wtmp, and lastlog so it looked like
>UserName had "Never Logged In".
There's no magic in any of this. This information is stored in regular
files. The world doesn't end if you write to one of them.
--
---------------------------------------------------------------------------
Thomas Ptacek at The rdist Organization,
Chicagoland's only kung-fu guerilla terrorist computer security organization.
"If you're so special, why aren't you dead?"
by Wes Felt » Tue, 13 Aug 1996 04:00:00
Here is the site for the Zap.c program I mentioned that removes logged
entries from utmp, wtmp, and lastlog. It is very easy to modify to just
remove all logged entries from any one of the three logs.
-Wes
by Andreas Gra » Tue, 13 Aug 1996 04:00:00
> >I want to know if there is some code out there that allows you to parse
> >through the wtmp entries (and utmp if it's the same format) and delete or
> >add entries at will. If so, please mail it to me (and post it, as others
> >may be interested) with comments if possible.
> >Thanks!
> >Peter
> >--
> >Peter Beckman Independent Consultant
> Use /usr/lib/acct/fwtmp to convert utmp,wtmp to ascii.
> You can edit the text and convert to data , using fwtmp -ic , but you may lose
--
2 rules to success in life: 1. Don't tell people everything you know.
by thoug » Wed, 14 Aug 1996 04:00:00
>Neither "cloak.c" nor rick's code worked for my SunOS 4.1.3 UNIX, but a
>program called Zap.c did. It worked entirely too well, removing all signs
>that I had ever been on the system. After entering "Zap UserName", the
>program took all records in utmp, wtmp, and lastlog so it looked like
>UserName had "Never Logged In".
>-Wes
ftp://ftp.infonexus.com/pub/SourceAndShell/LogCleaners/UtmpAndWtmp/ma...
--
`da guild
by Gary Howlan » Wed, 14 Aug 1996 04:00:00
> > The following is for Solaris2. It takes a username as an argument and
> > removes all entries from [uw]tmp [uw]tmpx and lastlog.
> > rick
> Neither "cloak.c" nor rick's code worked for my SunOS 4.1.3 UNIX, but a
> program called Zap.c did. It worked entirely too well, removing all signs
> that I had ever been on the system. After entering "Zap UserName", the
> program took all records in utmp, wtmp, and lastlog so it looked like
> UserName had "Never Logged In".
#!/usr/local/bin/perl -w
# open(FH, '+< /var/log/wtmp');
open(FH, '+< /var/run/utmp');
my $entry = '';
while (read(FH, $entry, 36))
{
my ($line, $name, $host, $time);
($line, $name, $host, $time) = unpack("a8 a8 a16 L", $entry);
$_ = $name;
if (m/gary/)
{
seek(FH, -36, 1);
print FH "\0"x36;
seek(FH,0,1);
}
GaryQuote:}
by Gregory Row » Wed, 14 Aug 1996 04:00:00
GREG
1. How to change entry in UTMP?WTMP files
My email address is:
2. CHALLENGE - Linux and NT dualboot problem
6. CODE: Stand-alone ICP server
7. mgetty : AutoPPP - pppd wtmp/utmp entry
9. making utmp/wtmp entries.. how?
10. fake utmp/wtmp entries under xdm
11. remove wtmp (x) - utmp (x)
12. location of utmp wtmp in utmp.h
13. logout fails to remove entry in /etc/utmp