curious wtmp date

When I logged into one of my servers today I ran last and it showed only
one login. Which as far as I know is correct because I'm pretty sure that
I haven't logged into this server this month. But I looked at the bottom
and saw that the line

wtmp begins Wed Jul 6 13:45:30 2005

I checked some other servers and they begin
wtmp begins Wed Jul 6 14:55:54 2005
wtmp begins Wed Jul 6 9:30:27 2005

All 3 of these files show the initial logon that I made today only. Which
as far as I know this is correct since I rarely logon to these servers.

2 other servers which I logged into showed that the file begins when I
logged into them.

Another server shows
wtmp begins Fri Jul 1 15:43:32 2005
but doesn't show a login for this time, the first login is Jul 5


This seems to be a little odd to me. Is this something I should be
concerned about or is there an explanation for this other than someone is
hacking the servers and manipulating the wtmp files.

On Fri, 08 Jul 2005 20:57:20 -0500, Philip Washington
<phwashington@comcast.net> wrote:
>
> Another server shows
> wtmp begins Fri Jul 1 15:43:32 2005
> but doesn't show a login for this time, the first login is Jul 5
>
>
> This seems to be a little odd to me. Is this something I should be
> concerned about or is there an explanation for this other than someone is
> hacking the servers and manipulating the wtmp files.
>
Have you checked whether there are any "old" wtmp files?
(ls -l /var/log/*wtmp*)
Is it possible your machines have been rebooted, perhaps due to a power
failure?


--
Tonight you will pay the wages of sin; Don't forget to leave a tip.

Philip Washington wrote:
> When I logged into one of my servers today I ran last and it showed only
> one login. Which as far as I know is correct because I'm pretty sure that
> I haven't logged into this server this month. But I looked at the bottom
> and saw that the line
>
> wtmp begins Wed Jul 6 13:45:30 2005

Many systems have cron jobs that clear wtmp weekly.

--
Tony Lawrence
Unix/Linux/Mac OS X resources: http://aplawrence.com

On Sat, 09 Jul 2005 00:31:03 -0400, Bill Marcum wrote:

> On Fri, 08 Jul 2005 20:57:20 -0500, Philip Washington
> <phwashington@comcast.net> wrote:
>>
>> Another server shows
>> wtmp begins Fri Jul 1 15:43:32 2005
>> but doesn't show a login for this time, the first login is Jul 5
>>
>>
>> This seems to be a little odd to me. Is this something I should be
>> concerned about or is there an explanation for this other than someone is
>> hacking the servers and manipulating the wtmp files.
>>
> Have you checked whether there are any "old" wtmp files?
> (ls -l /var/log/*wtmp*)
> Is it possible your machines have been rebooted, perhaps due to a power
> failure?
yes there is another file, wtmp.1. This file start on June 5th with
correlating to a reboot. I did look at /var/log/messages and the start
time for the wtmp file correlates to a logout. But, there is a cron job
which runs on another server and copies files over to this server using
scp and this login shows up for July 4th but does not show up when I run
last.

So far I have not been able to locate the cron job or configuration file
which tells the system how to handle different log files. I know I've
seen it before, just can't remember right now where it is.

"Philip Washington" <phwashington@comcast.net> wrote in message
news:pan.2005.07.09.01.57.19.401794@comcast.net...
> When I logged into one of my servers today I ran last and it showed only
> one login. Which as far as I know is correct because I'm pretty sure that
> I haven't logged into this server this month. But I looked at the bottom
> and saw that the line
>
> wtmp begins Wed Jul 6 13:45:30 2005
>
> I checked some other servers and they begin
> wtmp begins Wed Jul 6 14:55:54 2005
> wtmp begins Wed Jul 6 9:30:27 2005
>
> All 3 of these files show the initial logon that I made today only. Which
> as far as I know this is correct since I rarely logon to these servers.

What you are seeing is the effect of normal log-rotation. Shouldn't be
anything to worry about.