From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Description of problem: The wtmp file contains entries registering logins (and logoffs) from IP 128.99.1.64 at terminal :0. There's one entry for each time the system is started (booted). The problem only happens if the system default runlevel is set to 5 (the system starts X immediately after the boot and the login occurs through gdm). If the default runlevel is set to 3 the entries are correct. Version-Release number of selected component (if applicable): SysVinit-2.84-13 How reproducible: Always Steps to Reproduce: 1. Set the system's default runlevel to 5 in inittab (edit /etc/inittab, changing the line id:3:initdefault: to id:5:initdefault:) 2. look at wtmp using 'utmdump /var/log/wtmp | grep 128.99 Actual Results: [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99 Utmp dump of /var/log/wtmp [7] [01931] [:0 ] [jcff ] [:0 ] [ ] [128.99.1.64 ] [Sun Jun 22 13:29:26 2003 BRT] [7] [01859] [:0 ] [root ] [:0 ] [ ] [128.99.1.64 ] [Sun Jul 06 18:39:50 2003 BRT] [8] [00000] [:0 ] [ ] [:0 ] [ ] [128.99.1.64 ] [Sun Jul 06 18:41:29 2003 BRT] [root@firenzi etc]# Expected Results: [root@firenzi etc]# utmpdump /var/log/wtmp | grep 128.99 Utmp dump of /var/log/wtmp [root@firenzi etc]# Additional info: This behaviour could lead to the wrong conclusion that the system was invaded or hacked by an unauthorized perpetrator.
This bug is probably similar (or even caused by the same problem) to the one reported on Bugzilla Bug 82540.
Sorry. In "Steps to Reproduce" I forgot to mention that the system must be restarted after the edition of the default run level in the /etc/inittab file. (This could seem obvious to me but I should have made it clear.) So, this would be step 1.5) Restart the system and login via gdm.
The IP registered in wtmp is not always the same. It seems to be an arbitrary IP and can be different from machine to machine, distribution to distribution or even from time to time. So, the IP itself does not matter. The problem is that the address registered should be 0.0.0.0 at terminal :0 and an arbitrary IP is registered instead. This observation has impact in the way the problem can be reproduced, since '# utmpdump wtmp | grep 128.99' works fine for me but won't work for many users. So, one must use '# utmpdump wtmp | more' and search for logins at terminal :0 with IP addresses others than 0.0.0.0. I also verified that this problem occurs at Red Hat versions 7 and 8.
*** This bug has been marked as a duplicate of 82540 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.