Scribd Logo
Carica

Benvenuto in Scribd!

  • HP-UX Login Account

    Caricato da

    liuyl
    97 visualizzazioni4 pagine
    The document discusses cleaning up login attempt records stored in wtmp, btmp, and wtmps files. It provides commands to copy the contents of these files to temporary files, edit out unwanted records, and copy the cleaned up contents back to the original files. The document also notes that the wtmps file appears corrupted, as the last and lastb commands are returning errors. It suggests using tusc and dd commands to examine the corrupted portions of the wtmps file and extract a subset of recent records for analysis.

    Descrizione originale:

    HP-UX Login Account

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOC, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document discusses cleaning up login attempt records stored in wtmp, btmp, and wtmps files. It provides commands to copy the contents of these files to temporary files, edit out unwanted records, and copy the cleaned up contents back to the original files. The document also notes that the wtmps file appears corrupted, as the last and lastb commands are returning errors. It suggests using tusc and dd commands to examine the corrupted portions of the wtmps file and extract a subset of recent records for analysis.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    97 visualizzazioni4 pagine

    HP-UX Login Account

    Caricato da

    liuyl
    The document discusses cleaning up login attempt records stored in wtmp, btmp, and wtmps files. It provides commands to copy the contents of these files to temporary files, edit out unwanted records, and copy the cleaned up contents back to the original files. The document also notes that the wtmps file appears corrupted, as the last and lastb commands are returning errors. It suggests using tusc and dd commands to examine the corrupted portions of the wtmps file and extract a subset of recent records for analysis.

    Copyright:

    © All Rights Reserved
    Scarica in formato DOC, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    Do you need to keep the old information in the wtmp, btmp and wtmps files?

    Otherwise zero them.


    # cat /dev/null > /var/adm/btmp
    etc.

    If you want to try to preserve previous bad login attempts, you will need to make use of the
    'fwtmp' command:
    # /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp
    # vi /tmp/wtmp.tmp # Clean up records
    # /usr/bin/acct/fwtmp -ic < /tmp/wtmp.tmp > /var/adm/wtmp
    # rm /tmp/wtmp.tmp
    etc.

    But I still have a problem with (last) command that is read successful comand from /var/adm/
    wtmps???

    Also check the btmp and wtmps files.


    # /usr/sbin/acct/fwtmp < /var/adm/btmp > /tmp/btmp.tmp
    # vi /tmp/btmp.tmp # Clean up records
    # /usr/bin/acct/fwtmp -ic < /tmp/btmp.tmp > /var/adm/btmp
    # rm /tmp/btmp.tmp

    # /usr/sbin/acct/fwtmp < /var/adm/wtmps > /tmp/wtmps.tmp


    # vi /tmp/wtmps.tmp # Clean up records
    # /usr/bin/acct/fwtmp -ic < /tmp/wtmps.tmp > /var/adm/wtmp
    # rm /tmp/wtmps.tmp

    I am trying to use the command last and lastb to check on successfull and unsuccessfully logings,
    and I got the following result>
    #last -R 10
    Invalid record size. Unable to continue ...

    and
    lastb -R 10

    BTMPS_FILE begins at Fri Dec 31 07:45:40

    So I search on this forums and I found the following post:

    http://h30499.www3.hp.com/t5/System-Administration/last-command-amp-wtmps/td-p/4615210
    In this post Robert Jan come up with a solution, but I woud like to understand the contents of the
    files, like the output of the :
    /usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

    I edit the file /tmp/wtmp.tmp and I found this:

    esmd esmd 2877 5 0000 0000 1254490132 Oct 2 15:28:52 2009


    cimserve cim1 2878 5 0000 0000 1254490132 Oct 2 15:28:52 2009
    sh ems3 2879 5 0000 0000 1254490132 Oct 2 15:28:52 2009
    sh ems3 2879 8 0000 0000 1254490132 Oct 2 15:28:52 2009
    p_client ems4 2882 5 0000 0000 1254490132 Oct 2 15:28:52 2009
    icapd icap 2883 5 0000 0000 1254490132 Oct 2 15:28:52 2009
    utild util 2884 5 0000 0000 1254490132 Oct 2 15:28:52 2009
    krsd krsd 2874 8 0011 0000 1254495221 Oct 2 16:53:41 2009
    krsd krsd 8950 5 0011 0000 1254495221 Oct 2 16:53:41 2009
    utild util 2884 8 0011 0000 1254495221 Oct 2 16:53:41 2009

    You should be looking a wtmps, not wtmp. And you may need to use -X.

    I did use the -X but I had a successfully output when using lastb -X, and I had the same error when
    using last -X, which was :
    last -X
    Invalid record size. Unable to continue ...

    Now when using :


    >/usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp
    the contents of wtmps.tmp are:
    13135 0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5
    2004842672 0 0000 0000 7 Jan 1 02:00:07 1970
    808463924 11825 32000 0000 0 Jan 1 02:00:00 1970 0.0.0.1
    0 0 0000 0000 0 Jan 1 02:00:00 1970 119.120.204.224
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    -1065708960 0 0000 0000 0 Jan 1 02:00:00 1970 114.111.111.116
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    1718906980 12595 31465 34000 0 Jan 1 02:00:00 1970 127.255.214.228
    -1073741824 0 1611 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970 119.120.204.224
    ` 0 0 0000 0016 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    0 0 0000 0000 0 Jan 1 02:00:00 1970
    939589631 0 0000 0000 0 Jan 1 02:00:00 1970

    You can find a description of the contents of the wtmp and wtmps files in the system man pages:
    please run "man 4 wtmp" and "man 4 wtmps", respectively.

    The output of the fwtmp/fwtmps commands should normally be similar to the actual wtmp/wtmps
    file structure, but with all the binary fields translated into human-readable ASCII.

    However, the error message "invalid record size" from the "last" command and the confused–look
    ing contents of your wtmps.tmp file (Dates for year 1970?? Loopback IP addresses like
    127.255.214.224???) suggest that your wtmps file was corrupted at some point.The corruption
    would cause the fwtmps tool to go out of sync with the entries and mis-interpret them.
    If you want to extract meaningful information from the file, you may have to find the corrupted
    entry/entries in your original binary wtmps file and remove them (probably with some hex editor)
    and then re-run the file through the fwtmps command.

    If the wtmps file is large, finding and recognizing the corrupted entries may be a difficult and
    tedious job.

    The error won't go away since the file has been corrupted. You could use tusc to see how much of
    the file is bad.
    >Now when using: /usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp
    >the contents of wtmps.tmp are:
    13135 0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5

    I have to use -X for 11.23 and 11.31 when using fwtmp(1m):


    /usr/sbin/acct/fwtmp < /var/adm/wtmps

    If you use tusc on last(1), you'll see this pattern before it aborts:
    [11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4
    ...

    [11273] read(4, "\0\00288", 4) ........................... = 4


    [11273] lseek(4, 652, SEEK_SET) .......................... = 652
    [11273] read(4, "\0\00288", 4) ........................... = 4
    ...

    Now it prints it out by going backwards:


    [11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
    [11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648

    >-rw-rw-r-- 1 adm adm 5770232 Mar 5 08:57 /var/adm/wtmps


    >I will try and use the last 1000 lines of the wtmps file to read from it.

    The file is binary, there are no lines. You'll need to use dd(1) to copy from the end:
    #!/usr/bin/ksh
    # Dump out last 20 records of wtmps file
    WTMP=/var/adm/wtmps
    typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
    typeset -i wtmprecord=$((648+4))
    typeset -i wtmpdump=$((wtmprecord * 20))
    echo "$wtmprecord: $((wtmpdump))"

    # Add -v to not suppress duplicate lines


    xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP

    dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))


    (You can comment out the xd(1) command if you aren't interested in the raw file format.)

    And once you get wtmps.short you can check with:


    $ /usr/sbin/acct/fwtmp -X < wtmps.short

    And use last(1) to format it:


    $ last -R -X -f wtmps.short

    Potrebbero piacerti anche