From owner-freebsd-stable@FreeBSD.ORG Wed Jul 14 02:09:34 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3960C16A4CE for ; Wed, 14 Jul 2004 02:09:34 +0000 (GMT) Received: from carver.gumbysoft.com (carver.gumbysoft.com [66.220.23.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FDC543D5C for ; Wed, 14 Jul 2004 02:09:34 +0000 (GMT) (envelope-from dwhite@gumbysoft.com) Received: by carver.gumbysoft.com (Postfix, from userid 1000) id 1115772DF2; Tue, 13 Jul 2004 19:09:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by carver.gumbysoft.com (Postfix) with ESMTP id 0CC6E72DB5; Tue, 13 Jul 2004 19:09:34 -0700 (PDT) Date: Tue, 13 Jul 2004 19:09:34 -0700 (PDT) From: Doug White To: Kyle Mott In-Reply-To: <000501c4683e$88da1070$150ba8c0@kyle> Message-ID: <20040713190819.H527@carver.gumbysoft.com> References: <000501c4683e$88da1070$150ba8c0@kyle> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-stable@freebsd.org Subject: Re: Rebuilding wtmp X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2004 02:09:34 -0000 On Mon, 12 Jul 2004, Kyle Mott wrote: > Hi, I have several systems that report 'w' and 'who' wrong/corrupted: > root@neo:~# w > USER TTY FROM LOGIN@ IDLE WHAT > kyle p0 - 31Dec69 - w > > Obviously, Dec 31st 1969 is not right: > root@neo:~# date > Mon Jul 12 11:27:15 PDT 2004 you might make sure your w/who binary hasn't been fiddled with. Changes like this tend to point to a diagreement among utmp/wtmp writers about the file format. I've seen this where w was trojaned to mask certain user logins. -- Doug White | FreeBSD: The Power to Serve dwhite@gumbysoft.com | www.FreeBSD.org