Re: /var/log/setuid.today wierdness in cluster

To: Debian UserList <debian-user@lists.debian.org>
Subject: Re: /var/log/setuid.today wierdness in cluster
From: dave mallery <dmallery@cia-g.com>
Date: Fri, 22 Nov 2002 12:23:25 -0700
Message-id: <[🔎] 20021122192325.GC27068@bilbo>
In-reply-to: <[🔎] 20021122044106.GA13937@dragon.kitenet.net>
References: <[🔎] 20021121153047.GA26030@bilbo> <[🔎] 20021121171226.GD4001@dragon.kitenet.net> <[🔎] 20021122042330.GA27068@bilbo> <[🔎] 20021122044106.GA13937@dragon.kitenet.net>

> 
> You can do something like last -f /var/log/wtmp.1

wow! a decoder ring!
scanning a 14,8mb wtmp file, it produces very little output
:
-rw-rw-r--    1 root     utmp     14849280 Nov 22 06:20 wtmp.1
c0n5:/var/log>> last -f /var/log/wtmp.1

wtmp.1 begins Thu Nov 21 06:25:03 2002

this file grows from midnite to midnite from 0 to almost 220mb.
so there is something afoot!
> 
> Maybe the nodes are sshing into the server for some reason? Although
> only interactive ssh's should show in the wtmp file, I'd imagine it'll
> be something like that. Maybe rshing in or something.

i looked around /var/log and found this:

-rw-r-----    1 root     adm       3524716 Nov 22 12:19 auth.log

c0n5:/var/log>> tail auth.log
Nov 22 12:17:11 c0n5 getty[8270]: /dev/tty5: cannot open as standard 
input: No such device
Nov 22 12:17:11 c0n5 getty[8271]: /dev/tty6: cannot open as standard 
input: No such device
Nov 22 12:17:20 c0n5 getty[8272]: /dev/tty1: cannot open as standard 
input: No such device
Nov 22 12:17:21 c0n5 getty[8273]: /dev/tty2: cannot open as standard 
input: No such device
Nov 22 12:17:21 c0n5 getty[8274]: /dev/tty3: cannot open as standard 
input: No such device
Nov 22 12:17:21 c0n5 getty[8275]: /dev/tty4: cannot open as standard 
input: No such device
Nov 22 12:17:21 c0n5 getty[8276]: /dev/tty5: cannot open as standard 
input: No such device
Nov 22 12:17:21 c0n5 getty[8277]: /dev/tty6: cannot open as standard 
input: No such device
Nov 22 12:20:29 c0n5 sshd[8278]: Accepted password for root from 
10.42.42.104 port 51754 ssh2
Nov 22 12:20:29 c0n5 PAM_unix[8278]: (ssh) session opened for user root 
by (uid=0)


this looks to be a symptom.  all these ttyn devices are trying to do 
something... they are triggering getty up to many times per second.  
this probably accounts for the thousands of entries in wtmp that are 
transparant to the program last.

thanks again

dave

-- 
Dave Mallery, K5EN          (debian testing & woody)  
PO Box 520         .~.    _      Ramah,  NM  87321     
                   /V\   -o)
no gates...       /( )\  /\\     running Debian GNU/Linux
  no windows!     ^^^^^ _\_v        free at last!

Reply to:

References:
- /var/log/setuid.today wierdness in cluster
  - From: dave mallery <dmallery@cia-g.com>
- Re: /var/log/setuid.today wierdness in cluster
  - From: Joey Hess <joeyh@debian.org>
- Re: /var/log/setuid.today wierdness in cluster
  - From: dave mallery <dmallery@cia-g.com>
- Re: /var/log/setuid.today wierdness in cluster
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Sound card problem
Next by Date: Re: xdm and startx
Previous by thread: Re: /var/log/setuid.today wierdness in cluster
Next by thread: Re: /var/log/setuid.today wierdness in cluster
Index(es):
- Date
- Thread