From owner-freebsd-security  Sat Jul  7 15:55:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id CF0C137B406
	for <security@FreeBSD.ORG>; Sat,  7 Jul 2001 15:55:41 -0700 (PDT)
	(envelope-from str@giganda.komkon.org)
Received: (from str@localhost)
	by giganda.komkon.org (8.11.3/8.11.3) id f67MteA15656;
	Sat, 7 Jul 2001 18:55:40 -0400 (EDT)
	(envelope-from str)
Date: Sat, 7 Jul 2001 18:55:40 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200107072255.f67MteA15656@giganda.komkon.org>
To: security@FreeBSD.ORG, str@giganda.komkon.org
Subject: Re: wtmp corrupted - ?
In-Reply-To: <200107072220.f67MKJ613641@giganda.komkon.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Sorry, 
I just discovered, that it happened due to the disk partition being
filled up at some point, and wtmp became corrupted.

This brings another thought: it might be a good feature if login(1)
would be able to determine the disk space shortage, make a note for that
in wtmp, and stop logging until the disk space becomes available
(pretty much the way syslogd(8) handles such situation).

Regards,

Igor



I wrote earlier:

> Date: Sat, 7 Jul 2001 18:20:19 -0400 (EDT)
> From: Igor Roshchin <str@giganda.komkon.org>
> To: security@FreeBSD.ORG
> Subject: wtmp corrupted - ?
>
>
> Hello!
>
> I've just found that my wtmp file is corrupted.
> (See the output of last(1) below).
> Is this a bug or is it a sign of somebody trying to clear his trace ?
> (This is on 4.3-RELEASE).
>
> Are there any tools around which allow to easily read a corrupted wtmp ?
>
> thanks,
>
> Igor
>
> 50.85            200.191. 3408             Wed Dec 31 19:00   still logged in
> 50.85            200.191. 3378             Wed Dec 31 19:00   still logged in
> 5.134            63.29.16 3378ftp          Wed Dec 31 19:00   still logged in
> .112             38.16.82 3359str          Wed Dec 31 19:00   still logged in
> 56.169           212.57.1 3313             Wed Dec 31 19:00   still logged in
> 56.169           212.57.1 3313ftp          Wed Dec 31 19:00   still logged in
> 176.69           211.133. 3058             Wed Dec 31 19:00   still logged in
> 8.215            213.44.5 3058ftp          Wed Dec 31 19:00   still logged in
> 7.228            202.225. 3042             Wed Dec 31 19:00   still logged in
> 8.215            213.44.5 3042ftp          Wed Dec 31 19:00   still logged in
> 8.215            213.44.5 3005             Wed Dec 31 19:00   still logged in
> 98.203           217.80.1 2976             Wed Dec 31 19:00   still logged in
> 8.215            213.44.5 2974             Wed Dec 31 19:00   still logged in
> 98.203           217.80.1 2976ftp          Wed Dec 31 19:00   still logged in
> 148.201          200.236. 2974ftp          Wed Dec 31 19:00   still logged in
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message