RH Linux: Bizarre wtmp/utmp, log file, and file date problems

RH Linux: Bizarre wtmp/utmp, log file, and file date problems

Post by Doug Stevenso » Tue, 23 Mar 1999 04:00:00



In all my years of UNIX sys admin experience I have never seen something
so bizarre as this happen, first seen this morning on my Red Hat 5.2
Linux system:

- New logins are no longer being reported with 'w', 'who', and 'last'
commands.  Entries are being made to utmp/wtmp but I haven't verified if
they're correct.  Rotating/removing these files doesn't help either.

- /var/log/secure is no longer being logged to (scary).

- The system date as reported by 'date' and last mod dates on new files
on all filesystems differ by exactly 5 hours, the file being 5 hours in
the future.  Maybe this has something to do with EST timezone?

- The MAIL env var is being set to /spool/mail/login instead of the
proper /var/spool/mail/login.  This causes mail apps to fail to find the
users incoming mail spool.  Resetting this variable manually fixes
things.

Things I've tried doing to fix the problems:

- Rebooting the system (but not power cycling, it's remote).

- Messing with wtmp/utmp to manually reset their status.

- Moving the latest /var/log/secure file and restarting syslogd.  The
entry for authpriv.* remains in /etc/syslogd.conf and other syslog files
are still working file.

- Resetting the date manually (timezone is correct).

The only things that make be believe that this might be a security
attack is the fact that /var/log/secure no longer works AT ALL and that
I can't get a traditional list of current logins any more.  The other
things I could pass as a fluke or bug in the system.  But I have found
nothing else out of the ordinary.  The future file date issue is
terribly inconvenient, as well as the fact that I can't get a list of
current logins.

I found nothing on the Red Hat web site regarding these specific
issues.  I did find a new syslogd there, but the fixes don't seem to
address specificically the problems with no security logs.

Any ideas?  I'm at the edge of my wit...

Doug

 
 
 

RH Linux: Bizarre wtmp/utmp, log file, and file date problems

Post by Olaf Schre » Wed, 24 Mar 1999 04:00:00



Quote:>In all my years of UNIX sys admin experience I have never seen something
>so bizarre as this happen, first seen this morning on my Red Hat 5.2
>Linux system:

These are strong indications that your system has found an additional
remote administrator..

Looks like modified binaries have been put in place (rootkit), your
/etc/syslog.conf has been slightly modified, and the intruder
temporarily changed your system date (to get the timestamps for the
modified binaries right), then mistakenly reset the system date to
localtime instead of GMT or vice versa.

REDHAT 5.2 USERS PLEASE NOTE:  If you run an out-of-the-box RH 5.2
system, you are at *high risk* of getting remote rooted via a buffer
overun in wu-ftpd.  Have a look at

http://www.netect.com/advisory_0209.html
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#wu-ftpd

ciao,
chakl

Quote:>- New logins are no longer being reported with 'w', 'who', and 'last'
>commands.  Entries are being made to utmp/wtmp but I haven't verified if
>they're correct.  Rotating/removing these files doesn't help either.

>- /var/log/secure is no longer being logged to (scary).

>- The system date as reported by 'date' and last mod dates on new files
>on all filesystems differ by exactly 5 hours, the file being 5 hours in
>the future.  Maybe this has something to do with EST timezone?

>- The MAIL env var is being set to /spool/mail/login instead of the
>proper /var/spool/mail/login.  This causes mail apps to fail to find the
>users incoming mail spool.  Resetting this variable manually fixes
>things.

--


 
 
 

RH Linux: Bizarre wtmp/utmp, log file, and file date problems

Post by NF Steve » Wed, 24 Mar 1999 04:00:00



>In all my years of UNIX sys admin experience I have never seen something
>so bizarre as this happen, first seen this morning on my Red Hat 5.2
>Linux system:

IIRC libc5 and libc6 write different formats to wtmp etc. I had
a lot of trouble with this when I upgraded to libc6.

Norman

 
 
 

1. Utmp/wtmp logging problem. HELP.

Ok, here's the deal. When I login remotely, my logout will not be recorded in
the utmp/wtmp files. I have tried linking the files all over the place with no
luck.

Here is a typical example->
I log in from home and exit.  When I get to work and log in locally, a finger
or who will say that I am still logged in from home (the telnet processes are
gone, the login from home only seems to exist in the log files).  But if I
exit and login locally again the utmp is corrected?!?!?!

Anyone else have this problem? any suggestions would be appreciated.

PS. what program writes the lastlog file?? I don't have a man page for it.

Thanks.

2. 2.4 clients - 2.5 server experience ?

3. How to change entry in UTMP?WTMP files

4. Hard Data Error???

5. Transforming log file into separate files based on date?

6. Magic for vlsi

7. how to deal with growing file "utmp & wtmp"

8. unexpected kill - connection lost with x server

9. clearing the wtmp/utmp files

10. UTMP/WTMP FILES

11. How can read the utmp or wtmp format file?

12. OS 5 utmp/wtmp files

13. What are utmp and wtmp files for?