Actually, this is not an HP-UX problem, it can be caused by problems. One is that your system logs have not been archived in the last year and logins that are more than a year old may be showing up as logins. The other (more likely) problem is that connections have been destroyed by terminals that were simply powered off rather than a normal logout. For PCs and other computers using terminal emulators, these boxes may have crashed or the user simply destroys the window rather than logging out.
The utmp file is where the who command looks and it can become out of sync with reality when these bad connections occur. utmp is simply tracking logins and logouts and knows nothing about whether the user is actually connected. A login entry is recorded and then later, a logout record may be recorded (or not) into wtmp. And since user programs can write to utmp with system calls, utmp can become corrupted. wtmp can be corrupted the same way as it picks up its loging and logout data from the same source as utmp.
Therefore, who and last are only guesses as to active sessions and should not be used as a reliable indicators. If you reboot, all these bad records are cleared and utmp is rebuilt, at which point, the who command will once again be accurate. For last, you would manually use fwtmp (archaic and cryptic as it is) to manually fix the missing logout records. The ps -u command is accurate for 'real' user sessions.
Bill Hassell, sysadmin
