Re: SOLVED: Erk! Something is *really* wrong here!
At 05:30 PM 3/3/97 +0100, Miquel van Smoorenburg wrote:
>Just copy your wtmp file to wtmp.old or so, and truncate (not delete) the
>original one using ": > /var/log/wtmp" when this happens again.
No sooner did I do it does this appear:
[root@orion:p1:/var/log] last
****** *****w*3 Tue Mar 4 09:14 still logged in
rsb ttyS0 Tue Mar 4 09:13 still logged in
amf ttyE3 Tue Mar 4 09:11 still logged in
wtmp begins Tue Mar 4 09:11:34 1997
<sigh> Why me?
Incidently, here's the first part of the wtmp when I thought things
might've been fixed (start at the bottom first):
ftp ftp filez.external.s Tue Mar 4 03:47 - 03:50 (00:03)
****** *****)*3 Tue Mar 4 03:43 - 05:56 (02:13)
****** *****$*3 Tue Mar 4 03:22 - 03:43 (00:20)
****** *****"*3 Tue Mar 4 03:12 - 03:22 (00:10)
ftp ftp 17.65.42.81 Tue Mar 4 02:32 - 03:16 (00:43)
ftp ftp 17.65.42.81 Tue Mar 4 02:30 - 02:30 (00:00)
ftp ftp 17.65.42.81 Tue Mar 4 02:08 - 02:25 (00:17)
akira ttyS7 Tue Mar 4 01:58 - 08:12 (06:14)
root ttyp0 oracle.tower.net Tue Mar 4 01:38 - 02:22 (00:43)
karl ttyp0 kaos.tower.net.a Tue Mar 4 01:31 - 01:34 (00:02)
karl ftp serial1-3.pd.sta Tue Mar 4 01:21 - 01:24 (00:03)
ogod ttyS10 Tue Mar 4 01:18 - 03:12 (01:53)
karl ttyp0 serial1-3.pd.sta Tue Mar 4 01:18 - 01:30 (00:11)
karl ttyS3 Tue Mar 4 01:18 - 01:30 (00:12)
karl ttyp0 kaos.tower.net.a Tue Mar 4 01:12 - 01:14 (00:02)
earp ttyS1 Tue Mar 4 01:09 - 03:43 (02:34)
bobs ttyS2 Tue Mar 4 01:09 still logged in
Notice the ftp conections just before it stuffs up? Well, absolutely
nothing else happened at this time (apart from ususal things like an rexec
from a machine that does it every minute) - hence the log
Mar 4 03:12:17 orion in.qpopper[10686]: connect from zalem.tower.net.au
Mar 4 03:12:31 orion in.rexecd[10689]: connect from wombat.star.net.au
Mar 4 03:12:31 orion in.rexecd[10689]: connect from wombat.star.net.au
Mar 4 03:12:31 orion in.rexecd[10689]: login from wombat.star.net.au as
greaper
Mar 4 03:12:48 orion in.smtpd[10690]: connect from uucp.intac.com
Mar 4 03:12:56 orion in.smtpd[10691]: connect from primer.i-connect.net
I've checked either side of this and found bugger all as well.
What puzzles me even more is that there's evidence of this on another
machine that I only recently put Linux on (debian). The other machine is
just a news/proxy server and only use of wtmp/utmp recording is me loggin
in over the lan.
The worst thing is, just when you think it's gone and things seem to be ok
- something corrupts the utmp/wtmp. And from then corrupted enteries can
appear as amany as 5 in a MINUTE like this:
****** ****o**3 Mon Mar 3 21:38 - 21:39 (00:00)
****** ****2**3 Mon Mar 3 21:37 - 21:38 (00:01)
****** ****!**3 Mon Mar 3 21:37 - 21:37 (00:00)
****** **** Mon Mar 3 21:37 - 21:37 (00:00)
****** *******3 Mon Mar 3 21:36 - 21:37 (00:00)
****** *******3 Mon Mar 3 21:36 - 21:36 (00:00)
But as you may notice - the predominiate number in the corruption is 3.
I've even tried degreading all base packages to rex-fixed instead of bo and
still don't get any joy. I can rule out a corrupted kernel compile because
I've done it about a several times on both machines and still get the
problem. It can't be the mgetty, because it does it even when nothing is
really happening.
Ummm... HELP! :-)
Hmmm, some more news - I've co-incided some corrupted the first two
corrupted enteries (from the ppp.log) after I did what you said to zap the
wtmp file:
****** ****@x*3 Tue Mar 4 09:17 - 09:23 (00:05)
****** *****w*3 Tue Mar 4 09:14 - 09:17 (00:03)
Mar 4 09:13:35 orion pppd[15240]: pppd 2.2.0 started by rsb, uid 1019
Mar 4 09:13:35 orion pppd[15240]: Using interface ppp5
Mar 4 09:13:35 orion pppd[15240]: Connect: ppp5 <--> /dev/ttyS0
Mar 4 09:13:36 orion pppd[15240]: local IP address 203.22.233.3
Mar 4 09:13:36 orion pppd[15240]: remote IP address 203.15.138.200
Mar 4 09:13:39 orion pppd[15240]: CCP terminated at peer's request
Mar 4 09:13:39 orion pppd[15240]: Compression disabled by peer.
Mar 4 09:14:48 orion pppd[15240]: LCP terminated at peer's request
Mar 4 09:14:51 orion pppd[15240]: Connection terminated.
Mar 4 09:14:51 orion pppd[15240]: Exit.
Mar 4 09:17:51 orion pppd[15206]: LCP terminated at peer's request
Mar 4 09:17:52 orion pppd[15206]: Modem hangup
Mar 4 09:17:52 orion pppd[15206]: Connection terminated.
Mar 4 09:17:52 orion pppd[15206]: Exit.
and
Mar 4 09:23:05 orion pppd[15425]: pppd 2.2.0 started by deanro, uid 1071
Mar 4 09:23:05 orion pppd[15425]: Using interface ppp5
Mar 4 09:23:05 orion pppd[15425]: Connect: ppp5 <--> /dev/ttyS6
Mar 4 09:23:11 orion pppd[15425]: local IP address 203.22.233.3
Mar 4 09:23:11 orion pppd[15425]: remote IP address 203.15.138.206
Mar 4 09:23:14 orion pppd[15425]: CCP terminated at peer's request
Mar 4 09:23:14 orion pppd[15425]: Compression disabled by peer.
Mar 4 09:24:15 orion pppd[15365]: Modem hangup
Mar 4 09:24:15 orion pppd[15365]: Connection terminated.
Mar 4 09:24:15 orion pppd[15365]: Exit.
I'm also running the latest ppp package in bo. But a gentle reminder says
that it doesn't just happen when ppp starts or stops.
Thanks for any help and your patience.
--
___________________________________________________________________
Karl Ferguson,
Tower Networking Pty Ltd karl@tower.net.au
t/a STAR Online Services karl@debian.org
Tel: +61-9-455-3446 Fax: +61-9-455-2776 http://www.star.net.au
___________________________________________________________________
Reply to: