Rebuilding wtmp
Doug White
dwhite at gumbysoft.com
Tue Jul 13 19:09:34 PDT 2004
On Mon, 12 Jul 2004, Kyle Mott wrote:
> Hi, I have several systems that report 'w' and 'who' wrong/corrupted:
> root at neo:~# w
> USER TTY FROM LOGIN@ IDLE WHAT
> kyle p0 - 31Dec69 - w
>
> Obviously, Dec 31st 1969 is not right:
> root at neo:~# date
> Mon Jul 12 11:27:15 PDT 2004
you might make sure your w/who binary hasn't been fiddled with. Changes
like this tend to point to a diagreement among utmp/wtmp writers about the
file format.
I've seen this where w was trojaned to mask certain user logins.
--
Doug White | FreeBSD: The Power to Serve
dwhite at gumbysoft.com | www.FreeBSD.org
More information about the freebsd-stable
mailing list