summary of replies to [strange stuff in 'last' command]

["Sheldon E. Newhouse" <sen1 math msu edu>]

Sheldon E. Newhouse writes:
 > Anyone have ideas on what this output from the 'last' command means? 
 > 
 > TIA,
 >  -sen
 > 
 > xF* **** otify        ***@             Sat Aug  1 20:52   still logged in
 > xF* **** otify        ***@             Sat Aug  1 20:52 - 20:52  (00:00)
 > xF* **** otify        ***@             Sat Aug  1 20:52 - 20:52  (00:00)
 > xF* **** otify        ***@             Sat Aug  1 20:52 - 20:52  (00:00)
 > xF* **** otify        ***@             Sat Aug  1 20:52 - 20:52  (00:00)
 > 
Thanks to all who replied.  

  The culprit seems to have been incompatibilities in utmp/wtmp  between
glibc and libc-5, and not the result of a hacker invading my system. 

Many sent similar responses, so I am forwarding just a few of those
which were different from each other. 

-sen

*******************

From: "Charles R. Anderson" <cra WPI EDU>
 This is the result of a bug in xterm from XFree86-3.3.2.  I submitted a
patch to XFree86 and redhat about a month ago, so this should hopefully
be
fixed soon.  The problem is xterm is not clearing utmp properly on exit.

sen1> others notice this strange output of 'last?' Is this a security
issue or
sen1> more likely just growing pains for utmp and glibc?

There is no major security problem that I am aware of, however you could
consider incorrect wtmp logging a security problem.

******************
From: Dave Cinege <dcinege psychosis com>

libc6 and libc5 use different utmp formats. If you run a libc6 (libc5)
system
and use libc5 (libc6) apps that touch utmp or wtmp it will cause
corruption.

OTOH Debian 2.0's libc5 is patched with a wrapper function for the new
utmp
format. You could get a hold if that if you are unable to upgrade the
offending
app to glibc. I'd recommend just installing Debian instead. : >

From: Paul Carpenter <paul dodgenet com>
I saw this same problem going from a Slakware system to RH5.0.  I
repaced
my SSH with an updated one and the problem went away.  The old version
didn't use PAM and the new one does but I never looked into it any
further.

******************
From:Jaakko Hyvatti iki fi

 glibc-based system has different format in utmp and wtmp than
libc-5-based system.  You have some applications in your system that
update utmp and/or wtmp, but which are compiled with libc-5 or even
which
do not use library functions to update those files.  Find them and
recompile or fix them.

******************
From: Pavel Kankovsky <peak kerberos troja mff cuni cz>

who dumps utmp, last dumps wtmp

> Reboots stop the problem for awhile but then it reappears.

reboot resets utmp...

> I also read that glibc has sometimes produced corruption in utmp.  Do
> others notice this strange output of 'last?' Is this a security issue
> or
> more likely just growing pains for utmp and glibc?

the format of utmp and wtmp in glibc2 aka libc6 is different from the
format used in libc5 (which forked off glibc1 long time ago)
this is not a real security issue (but it could have security
ramifications like any other problem)

your wtmp seems to be corrupted (mixed formats), the easiest "fix" is to
erase the contents of /var/log/wmtp (the proper remedy would be to
separate a part in the old format and the part in the new format, and
convert the old part into the new format but)

but before changing any files, make sure all programs using utmp and
wtmp
(last, who, w, login, xterm...) are based on glibc2 (ldd program)