From owner-freebsd-questions@FreeBSD.ORG Sun Mar 5 12:56:36 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8F9916A420 for ; Sun, 5 Mar 2006 12:56:36 +0000 (GMT) (envelope-from Shadow333@gmx.at) Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C2AD43D45 for ; Sun, 5 Mar 2006 12:56:35 +0000 (GMT) (envelope-from Shadow333@gmx.at) Received: (qmail invoked by alias); 05 Mar 2006 12:56:35 -0000 Received: from unknown (EHLO [62.218.246.191]) [62.218.246.191] by mail.gmx.net (mp033) with SMTP; 05 Mar 2006 13:56:35 +0100 X-Authenticated: #1027147 Message-ID: <440AE000.50703@gmx.at> Date: Sun, 05 Mar 2006 13:56:33 +0100 From: Oliver Leitner Organization: http://www.neverslair-blog.net User-Agent: Mozilla Thunderbird 1.0.2 (X11/20051002) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd@orchid.homeunix.org References: <4408D4D3.4030102@t-hosting.hu> <440A05B0.6070903@gmx.at> <440A10A5.5060205@t-hosting.hu> <440A1443.3090205@orchid.homeunix.org> <440A1795.3030904@gmx.at> <440AC491.8040904@orchid.homeunix.org> In-Reply-To: <440AC491.8040904@orchid.homeunix.org> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 Cc: Giorgos Keramidas , =?ISO-8859-15?Q?K=F6ves?=, =?ISO-8859-15?Q?d=E1n_G=E1bor?= , freebsd-questions@freebsd.org Subject: Re: Where am I? :) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2006 12:56:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Karol Kwiatkowski schrieb: > [format recovered] > > Oliver Leitner wrote: > >>Karol Kwiatkowski schrieb: >> >>>>Kövesdán Gábor wrote: >>>> >>>> >>>>>I don't use any log cleaner, I triggered this accidentally. Please read >>>>>the whole thread if you're interested or see this: >>>>>http://www.freebsd.org/cgi/query-pr.cgi?pr=94060 >>>>> >>>>>Gabor Kovesdan >>>> >>>>Looks similar to this: >>>> >>>>http://lists.freebsd.org/pipermail/freebsd-questions/2004-December/068201.html >>>> >>>>Regards, >>>> >>>>Karol >>>> >> >>Well, it could have different reasons then: >> >>1. your box has been hacked, and you have a somewhat crippled login or >>shell, try to replace that things with clean ones. >> >>2. maybe there is something wrong with memory mapping, eventually diag >>your ram, or build a new "kernel". >> >>3. its just one of those accidently things that happen every 10 years >>once... > > > Very unlikely for various reasons: > - it wasn't me who reported it back then (my post was basically "me too") > - this is a test machine with one user, no direct connection, no > daemons except secured ssh, rebuilding world every other day > - the machine was running 5.x back then, now 6.1-PRERELEASE and I can > reproduce this; in fact I can do that on 6.0-RELEASE, too: > > [the same procedure Gabor Kovesdan wrote, only it seems 'login as fake > user' step is not needed] > > % karol@blackacidevil$ ssh -p 722 orchid > % Password: > % Last login: Sat Mar 4 12:05:43 2006 from blackacidevil.o > % [...motd skiped...] > % karol@orchid$ uname -sr > % FreeBSD 6.0-RELEASE-p2 > % karol@orchid$ w > % 11:31AM up 11 days, 9:24, 1 user, load averages: 0.29, 0.21, 0.17 > % USER TTY FROM LOGIN@ IDLE WHAT > % karol p0 blackacidevil.or 11:31AM - w > % karol@orchid$ login > % login: karol > % Last login: Sun Mar 5 11:31:22 from blackacidevil.o > % [...motd skiped...] > % karol@orchid$ w > % 11:32AM up 11 days, 9:25, 1 user, load averages: 0.11, 0.17, 0.16 > % USER TTY FROM LOGIN@ IDLE WHAT > % karol p0 - 11:32AM - w > % karol@orchid$ exit > % karol@orchid$ w > % 11:32AM up 11 days, 9:25, 0 users, load averages: 0.11, 0.17, 0.16 > % USER TTY FROM LOGIN@ IDLE WHAT > % karol@orchid$ > > Here, I disappeared from 'w's output. Root can't see me too: > > % karol@orchid$ su - > % Password: > % orchid: Yes, Master? w > % 11:35AM up 11 days, 9:28, 0 users, load averages: 0.53, 0.26, 0.19 > % USER TTY FROM LOGIN@ IDLE WHAT > > Here's what last(1) prints: > > % orchid: Yes, Master? last > % karol ttyp0 Sun Mar 5 11:32 - 11:32 > (00:00) > % karol ttyp0 192.168.1.66 Sun Mar 5 11:31 - 11:32 > (00:00) > % [...] > % orchid: Yes, Master? > > > It seems login(1) simply records "user logged out" the moment he's > logged in the second time (sorry, I'm not native English speaker ;) ) > > The reason I didn't send any PR back then I didn't know if it's a bug > or feature. Since there was virtually no response from list I assumed > it's not a bug (at least not a serious one) and I just made a personal > note: "don't use w(1), who(1), last(1) or /var/log/wtmp". > > Best regards, > > Karol > He is still logged in, so id suggest that this is a bug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFECuAAWvEVE8MtwbgRAuLEAJ4sQfNx8p/JaugF4YyiRPgui6WmJACeMz5a Ta8ciquZ8Vf8UTZzWTr1llk= =P5ny -----END PGP SIGNATURE-----