Bug 98659 - /var/log/wtmp registers entries with wrong / arbitrary IP address for local graphical logins
Summary: /var/log/wtmp registers entries with wrong / arbitrary IP address for local g...
Keywords:
Status: CLOSED DUPLICATE of bug 82540
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: SysVinit
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-07-06 23:59 UTC by Joaquim Fanton
Modified: 2014-03-17 02:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 18:56:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Joaquim Fanton 2003-07-06 23:59:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
The wtmp file contains entries registering logins (and logoffs) from IP
128.99.1.64 at terminal :0.

There's one entry for each time the system is started (booted).

The problem only happens if the system default runlevel is set to 5 (the system
starts X immediately after the boot and the login occurs through gdm). If the
default runlevel is set to 3 the entries are correct.

Version-Release number of selected component (if applicable):
SysVinit-2.84-13

How reproducible:
Always

Steps to Reproduce:
1. Set the system's default runlevel to 5 in inittab
(edit /etc/inittab, changing the line id:3:initdefault: 
to id:5:initdefault:)

2. look at wtmp using 'utmdump /var/log/wtmp | grep 128.99

Actual Results:  [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99
Utmp dump of /var/log/wtmp
[7] [01931] [:0  ] [jcff    ] [:0          ] [                    ] [128.99.1.64
   ] [Sun Jun 22 13:29:26 2003 BRT]
[7] [01859] [:0  ] [root    ] [:0          ] [                    ] [128.99.1.64
   ] [Sun Jul 06 18:39:50 2003 BRT]
[8] [00000] [:0  ] [        ] [:0          ] [                    ] [128.99.1.64
   ] [Sun Jul 06 18:41:29 2003 BRT]
[root@firenzi etc]#

Expected Results:  [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99
Utmp dump of /var/log/wtmp
[root@firenzi etc]#

Additional info:

This behaviour could lead to the wrong conclusion that the system was invaded or
hacked by an unauthorized perpetrator.
Comment 1 Joaquim Fanton 2003-07-07 00:04:27 UTC 
This bug is probably similar (or even caused by the same problem) to the one
reported on Bugzilla Bug 82540.
Comment 2 Joaquim Fanton 2003-07-07 17:10:40 UTC 
Sorry. In "Steps to Reproduce" I forgot to mention that the system must be 
restarted after the edition of the default run level in the /etc/inittab file. 
(This could seem obvious to me but I should have made it clear.)

So, this would be step 1.5) Restart the system and login via gdm.
Comment 3 Joaquim Fanton 2003-07-18 19:20:20 UTC 
The IP registered in wtmp is not always the same. It seems to be an arbitrary 
IP and can be different from machine to machine, distribution to distribution 
or even from time to time. So, the IP itself does not matter. 

The problem is that the address registered should be 0.0.0.0 at terminal :0 
and an arbitrary IP is registered instead.

This observation has impact in the way the problem can be reproduced, since '# 
utmpdump wtmp | grep 128.99' works fine for me but won't work for many users. 
So, one must use '# utmpdump wtmp | more' and search for logins at terminal :0 
with IP addresses others than 0.0.0.0.

I also verified that this problem occurs at Red Hat versions 7 and 8.
Comment 6 Bill Nottingham 2005-01-28 06:21:48 UTC 

*** This bug has been marked as a duplicate of 82540 ***
Comment 7 Red Hat Bugzilla 2006-02-21 18:56:57 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.
Note You need to log in before you can comment on or make changes to this bug.