Where am I? :)

Karol Kwiatkowski freebsd at orchid.homeunix.org
Sun Mar 5 02:59:54 PST 2006 

[format recovered]

Oliver Leitner wrote:
> Karol Kwiatkowski schrieb:
>>> Kövesdán Gábor wrote:
>>>
>>>> I don't use any log cleaner, I triggered this accidentally. Please read
>>>> the whole thread if you're interested or see this:
>>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=94060
>>>>
>>>> Gabor Kovesdan
>>>
>>> Looks similar to this:
>>>
>>> http://lists.freebsd.org/pipermail/freebsd-questions/2004-December/068201.html
>>>
>>> Regards,
>>>
>>> Karol
>>>
> 
> Well, it could have different reasons then:
> 
> 1. your box has been hacked, and you have a somewhat crippled login or
> shell, try to replace that things with clean ones.
> 
> 2. maybe there is something wrong with memory mapping, eventually diag
> your ram, or build a new "kernel".
> 
> 3. its just one of those accidently things that happen every 10 years
> once...

Very unlikely for various reasons:
- it wasn't me who reported it back then (my post was basically "me too")
- this is a test machine with one user, no direct connection, no
daemons except secured ssh, rebuilding world every other day
- the machine was running 5.x back then, now 6.1-PRERELEASE and I can
reproduce this; in fact I can do that on 6.0-RELEASE, too:

[the same procedure Gabor Kovesdan wrote, only it seems 'login as fake
user' step is not needed]

% karol at blackacidevil$ ssh -p 722 orchid
% Password:
% Last login: Sat Mar  4 12:05:43 2006 from blackacidevil.o
% [...motd skiped...]
% karol at orchid$ uname -sr
% FreeBSD 6.0-RELEASE-p2
% karol at orchid$ w
% 11:31AM  up 11 days,  9:24, 1 user, load averages: 0.29, 0.21, 0.17
% USER             TTY      FROM              LOGIN@  IDLE WHAT
% karol            p0       blackacidevil.or 11:31AM     - w
% karol at orchid$ login
% login: karol
% Last login: Sun Mar  5 11:31:22 from blackacidevil.o
% [...motd skiped...]
% karol at orchid$ w
% 11:32AM  up 11 days,  9:25, 1 user, load averages: 0.11, 0.17, 0.16
% USER             TTY      FROM              LOGIN@  IDLE WHAT
% karol            p0       -                11:32AM     - w
% karol at orchid$ exit
% karol at orchid$ w
% 11:32AM  up 11 days,  9:25, 0 users, load averages: 0.11, 0.17, 0.16
% USER             TTY      FROM              LOGIN@  IDLE WHAT
% karol at orchid$

Here, I disappeared from 'w's output. Root can't see me too:

% karol at orchid$ su -
% Password:
% orchid: Yes, Master? w
% 11:35AM  up 11 days,  9:28, 0 users, load averages: 0.53, 0.26, 0.19
% USER             TTY      FROM              LOGIN@  IDLE WHAT

Here's what last(1) prints:

% orchid: Yes, Master? last
% karol            ttyp0                     Sun Mar  5 11:32 - 11:32
 (00:00)
% karol            ttyp0    192.168.1.66     Sun Mar  5 11:31 - 11:32
 (00:00)
% [...]
% orchid: Yes, Master?


It seems login(1) simply records "user logged out" the moment he's
logged in the second time (sorry, I'm not native English speaker ;) )

The reason I didn't send any PR back then I didn't know if it's a bug
or feature. Since there was virtually no response from list I assumed
it's not a bug (at least not a serious one) and I just made a personal
note: "don't use w(1), who(1), last(1) or /var/log/wtmp".

Best regards,

Karol

-- 
Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>
GPGKey: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060305/7507e9e1/signature.bin

More information about the freebsd-questions mailing list