[SunHELP] last command not working (topo's corrected)

Fabio fabio at crearium.com
Fri Oct 29 02:07:40 CDT 2004

Lund, Dennis wrote:

>We have and issue were the "last" command is NOT displaying accurate data.
>The command only displays login data from May 2004.
>The wtmpx file is updating when a user logs into the server, but logins from
>May 31st and earlier are the only logins displayed.
>wallacc   pts/14       xxx.xxx.xxx.xxx    Mon May 31 15:20 - 15:29  (00:08)
>perryc    pts/14       xxx.xxx.xxx.xxx    Mon May 31 11:37 - 11:43  (00:06)
>perryc    pts/14       xxx.xxx.xxx.xxx    Mon May 31 08:58 - 10:57  (01:58) 
>I have run a few tests on another system:
>1. cat /dev/null wtmpx (last still works showing login data)
>2. cat /dev/null utmpx (last still works)
>3. cat /dev/null lastlog (last still works)
Telnet or ssh to the machine, on the system, truss the login process to 
see if it attempts to log the session and gives an error.

It is also a typical scenario after an intruder rooted the machine.

Check inetd.conf to see what options are set when telnetd/sshd is executed.


More information about the SunHELP mailing list