HPE Community
Operating System - HP-UX
1834178 Members
2513 Online
110064 Solutions
New Discussion

Unusual output from wtmp

 
SOLVED
Go to solution
Craig Rants
Honored Contributor

‎12-18-2001 08:59 AM

‎12-18-2001 08:59 AM

Unusual output from wtmp

I have just come upon something that maybe someone can shed some light on. Not on how to fix the problem, but more about why.

When I run a "last | grep still" I get about 40 of these:

root rexecd Sat Dec 8 15:41 still logged in
user1 ftp Fri Dec 7 13:38 still logged in

However, I am the only one logged on. I know how to fix this with fwtmp, and why I would see this for telnet, but I don't know why I got so many in a short amount of time for rexecd and ftp.

If someone has seen this type of anomaly before I would appreciate some background info.

Thanks,
Craig
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
7 REPLIES 7
Sridhar Bhaskarla
Honored Contributor

‎12-18-2001 09:03 AM

‎12-18-2001 09:03 AM

Re: Unusual output from wtmp

Hi Craig,

Did you check up the man page for last?. It says

last indicates if the session is still in progress or if it was cut
short by a reboot.

So, you might have rebooted the box when those sessions were up.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Craig Rants
Honored Contributor

‎12-18-2001 09:30 AM

‎12-18-2001 09:30 AM

Re: Unusual output from wtmp

Shridar,
I thought about that, both the source and destination boxes have not been rebooted since well prior to these entries.
Thanks,
Craig
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎12-18-2001 10:01 AM

‎12-18-2001 10:01 AM

Solution

Re: Unusual output from wtmp

Do you have any ReflectionX session still active ? I know that ReflectionX actually runs rexec to call hpterm. That might explain why you got these entries in wtmp. Another thing is a "parent-rexecd" can spawn other child processes and even though the "parent-rexecd" is killed, there might be some child processes still active.
Reply
S.K. Chan
Honored Contributor

‎12-18-2001 10:12 AM

‎12-18-2001 10:12 AM

Re: Unusual output from wtmp

Check out this patch (for 11.0), it has fixes for rexecd not updating wtmp and btmp properly.
PHNE_21731
0 Kudos
Reply
Helen French
Honored Contributor

‎12-18-2001 10:38 AM

‎12-18-2001 10:38 AM

Re: Unusual output from wtmp

hey,

I agree with Chan ... i have observed these same stuffs and i found most of them have come from my ReflectionX software which run an 'rexec' command.

I have found same thing with some of the ftp sessions too !

Shiju
Life is a promise, fulfill it!
Reply
Craig Rants
Honored Contributor

‎12-18-2001 11:52 AM

‎12-18-2001 11:52 AM

Re: Unusual output from wtmp

Thanks for the input, both the patch or Reflection could be the prob, I'll look into both.

Thanks,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-18-2001 12:29 PM

‎12-18-2001 12:29 PM

Re: Unusual output from wtmp

Be sure that wtmp is less than one year old. A very large wtmp file (last reads this file) may have 2-4 years worth of data and the data from 2 years ago will look like it is this year's data.

Also, as mentioned, PC crashes are the leading cause of corrupted utmp and wtmp entries, caused primarily by improper exiting of processes and login sessions.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.