HPE Community
Operating System - HP-UX
1753349 Members
4918 Online
108792 Solutions
New Discussion юеВ

bad logins

 
SOLVED
Go to solution
Jerry L. Sims
Frequent Advisor

тАО02-09-2004 05:26 AM

тАО02-09-2004 05:26 AM

bad logins

Hello Fellow HP-uxer's ( smile ):

Can any one tell me the best way to cleanup
the /var/adm/btmp ( data file )? Someone
with root access attempted to login to the system, and typed the root password instead of
the login ID. Now the root password is sitting
there ( /var/adm/btmp ) in plain test. Do I have to:
o remove "/var/adm/btmp"?
o create a new root password ?

or is their another way to just remove the embedded password, and leave the rest of the data in place? Please advise, and thanks for the help.

0 Kudos
Reply
7 REPLIES 7
Helen French
Honored Contributor

тАО02-09-2004 05:32 AM

тАО02-09-2004 05:32 AM

Re: bad logins

You can do this:

# > /var/adm/btmp

This will nullify the file. You don't need to remove the file or create new root password.
Life is a promise, fulfill it!
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-09-2004 05:35 AM

тАО02-09-2004 05:35 AM

Solution

Re: bad logins

Hi,

You can use 'fwtmp' to do the job for you. Convert the binary file to ascii. Edit it and make changes and then convert it back to binary.

#cd /usr/sbin/acct
#./fwtmp < /var/adm/btmp > btmp.txt

vi btmp.txt (search for the string and delete it)
#./fwtmp -ic < btmp.txt > /var/adm/btmp

You will need to remember that after overwriting the existing btmp file, you will lose the bad logins during that time frame.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО02-09-2004 05:36 AM

тАО02-09-2004 05:36 AM

Re: bad logins

I would use fwtmp to read in the binary file and produce a text file output. Edit this text file and then use fwtmp -ic to read in the text file to produce a new btmp file minus anything you want to throw away. Man fwtmp for details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Tom Danzig
Honored Contributor

тАО02-09-2004 05:37 AM

тАО02-09-2004 05:37 AM

Re: bad logins

The easiest thing to do is zero out the file as described above. If you want to save the contenets you can do:

cat /var/adm/btmp | /usr/sbin/acct/fwtmp > /tmp/ascii_btmp

vi /tmp/ascii_btmp to delete the records you want.

cat /tmp/ascii_btmp | /usr/sbin/acct/fwtmp -ic > /var/adm/btmp

This will allow you to remove the offending line.
Reply
Uday_S_Ankolekar
Honored Contributor

тАО02-09-2004 05:38 AM

тАО02-09-2004 05:38 AM

Re: bad logins

The files can be zeroed or removed but if they are removed they need to be
manually recreated as they not created by the programs that maintain them.
Thus, if these files are removed, record-keeping is turned off.

If you want to recreate them note the ownerships and permissions before
removing them and reset the ownerships and permissions after recreating the
files (usually with touch to create an empty files). This is EXTREMELY
important -> especially for the btmp file.

-USA..
Good Luck..
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО02-09-2004 06:05 AM

тАО02-09-2004 06:05 AM

Re: bad logins

> /var/adm/btmp

This will clear the file and you should do that periodically for this very reason.


log in as root

passwd

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-09-2004 06:29 AM

тАО02-09-2004 06:29 AM

Re: bad logins

It sounds like btmp has the wrong permissions!!! last and lastb are the same program and they are both section 1 commands, that is, available to all users. The /var/adm/btmp file must NEVER be readable by anyone except root. The reason is as you have already stated--someone wasn't watching and typed to password as the login and vice-versa. You can always zero the entire file but the most important is to change permissions to 600. If this is an obsolete version of HP-UX (10.20 or earlier), the btmp file had to be created before bad logins were logged, and since the default (yuck) umask is zero, the file would be created with 666 permissions.

The problem with btmp isn't just with root, it is true for any user. lastb is a hacker's best friend as it only shows mistakes and passwords are easy to see when the user makes a mistake.,


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.