reading wtmp

Question

reading wtmp

Was studying ACSA client curriculum and decided to take a look @ the wtmp file. Used sudo pico /private/var/log/wtmp and the only info in it was :
e
dmin
out

Same for /var/log/wtmp. This occurs on 10.3.9 client and server. I have multiple accts on the client and logged out, attempted bad password attempts and still nothing. The ACSA book does not give any more info than this file logs all activity. Am I doing something wrong?

Posted on Sep 20, 2005 11:44 PM

Reply

Answer 1

Sep 21, 2005 1:57 AM in response to Pittsburgh Steelers

Hi Erik,

The wtmp file is usually accessed with the 'last' command, try just:

last

I think bad password attempts will be logged to the system.log at /var/log/system.log

Reply

Answer 2

Camelot

Level 9

58,299 points

Sep 21, 2005 2:02 AM in response to Pittsburgh Steelers

The hint is:

% file /var/log/wtmp
/var/log/wtmp: data

Note that the file type is identified as 'data', not ASCII Text. In other words, it's a binary data file, not meant to be read via tools such as pico, vi, cat, etc.

If it were that easy to read the file, it would be just as easy for a hacker to modify the file to hide his tracks, hence the binary data format of the file - it's much harder to fake.

Reply

Answer 3

Finlay

Level 4

2,415 points

Sep 21, 2005 4:24 AM in response to Camelot

Uh, the format of wtmp is well-documented. The reason they're binary is probably that on large, multi-user systems (such as the mainframes which UNIX was originally intended to run on), you can have a great many logins/logouts in a relatively small period of time; and thus the files could grow quite quickly. At that time, disk space was also more of a premium than it is today.

Reply

Answer 4

Camelot

Level 9

58,299 points

Sep 21, 2005 5:12 PM in response to Finlay

Uh, the format of wtmp is well-documented

I didn't say it was unknown, just that it wasn't plain text.

If it were plain text, it would be trivial for someone to edit the file, delete a line or three and move on, leaving no one any wiser. As it stands, using a binary file, it is much harder to hack this file and not leave a trace. Not impossible, but a lot harder than your average script kiddie is going to be able to do.

Reply

Answer 5

Sep 21, 2005 6:29 PM in response to Camelot

Is it too off-topic to recommend Clifford Stoll's The Cuckoo's Egg for an interesting tale of tracking a cracker via inconsistent logfile coverup-attempts?

Reply

Answer 6

Sep 21, 2005 7:26 PM in response to Pittsburgh Steelers

Another way to read the /var/log/wtmp file is with the 'who' command.

who /var/log/wtmp

last -f /var/log/wtmp

as was mentioned previously.

see utmp(5) manpage for details about the format of the file.

Andy

Reply