Re: /var/log/setuid.today wierdness in cluster
>
> You can do something like last -f /var/log/wtmp.1
wow! a decoder ring!
scanning a 14,8mb wtmp file, it produces very little output
:
-rw-rw-r-- 1 root utmp 14849280 Nov 22 06:20 wtmp.1
c0n5:/var/log>> last -f /var/log/wtmp.1
wtmp.1 begins Thu Nov 21 06:25:03 2002
this file grows from midnite to midnite from 0 to almost 220mb.
so there is something afoot!
>
> Maybe the nodes are sshing into the server for some reason? Although
> only interactive ssh's should show in the wtmp file, I'd imagine it'll
> be something like that. Maybe rshing in or something.
i looked around /var/log and found this:
-rw-r----- 1 root adm 3524716 Nov 22 12:19 auth.log
c0n5:/var/log>> tail auth.log
Nov 22 12:17:11 c0n5 getty[8270]: /dev/tty5: cannot open as standard
input: No such device
Nov 22 12:17:11 c0n5 getty[8271]: /dev/tty6: cannot open as standard
input: No such device
Nov 22 12:17:20 c0n5 getty[8272]: /dev/tty1: cannot open as standard
input: No such device
Nov 22 12:17:21 c0n5 getty[8273]: /dev/tty2: cannot open as standard
input: No such device
Nov 22 12:17:21 c0n5 getty[8274]: /dev/tty3: cannot open as standard
input: No such device
Nov 22 12:17:21 c0n5 getty[8275]: /dev/tty4: cannot open as standard
input: No such device
Nov 22 12:17:21 c0n5 getty[8276]: /dev/tty5: cannot open as standard
input: No such device
Nov 22 12:17:21 c0n5 getty[8277]: /dev/tty6: cannot open as standard
input: No such device
Nov 22 12:20:29 c0n5 sshd[8278]: Accepted password for root from
10.42.42.104 port 51754 ssh2
Nov 22 12:20:29 c0n5 PAM_unix[8278]: (ssh) session opened for user root
by (uid=0)
this looks to be a symptom. all these ttyn devices are trying to do
something... they are triggering getty up to many times per second.
this probably accounts for the thousands of entries in wtmp that are
transparant to the program last.
thanks again
dave
--
Dave Mallery, K5EN (debian testing & woody)
PO Box 520 .~. _ Ramah, NM 87321
/V\ -o)
no gates... /( )\ /\\ running Debian GNU/Linux
no windows! ^^^^^ _\_v free at last!
Reply to: