According to Ken Russell: While burning my CPU.
>
> This week my system had a problem, and although it is now solved, I would
> like to know if anyone can explain it to me.
>
> On a Monday afternoon it was reported to me that who and finger were not
> working, although users could login and access their accounts. I also found
> that when I used the "last" command, the output was rather stange, with
> many login dates showing Dec. 31.
>
> I consulted with a local Linux administrator who spent some time looking
> into the problem with me looking over his sholder. He found that the
> /bin/login file was very large. He copied the same file from another linux
> box that was not having this problem in to the one that was (replacing the
> old one), and voila! Everything worked fine. Musta been the login file. But
> why?
>
The program "finger" is in no way connected to "login" however they are both
defined in and exectuted from /etc/inetd.conf and are both inetd tools.
"who" is a completly different and is not connected to /etc/inetd.conf.
The program who gets its data from /etc/utmp or wtmp, now if login was going
crazy then many entry's would be written to those files, possably making
them unreadably (temporaraly) for "who".
Now possably the reason why no one could use who or finger is because your
inetd had died, or was not responding because of many different factors,
shortage of memory, a process respwaning to fast, which could indeed also be
one reason for a reboot, (an unlikely thing) but considering what you
typed, like above utmp or wtmp being constanly updated.
/bin/login is not a file as such but a "program", if thro' some reason it
got corrupted then that could explane its larger size, (i presume it was
kept and not discarded), it could be run under gdb to see why it increased
in size. Your linux expert should have known or thought about that.
What were the date/time stamps on /bin/login, was that checked.???
Is there "any"thing about "logins" in your system log.????
Did you accidently use "merge" or use any commands like "cat" before the
problem ocuured????.
I am not saying it is you who corrupted your own login file, but in 90% +
cases we do the damage ourselfs and take the view that someone else did it,
after all, you have said, you can find no evidence of a so called hacker.
Indeed if the progran login was being executed around or upon the
spontainious reboot, then it could have beed corrupted by that fact.
Is there anything in your lost+found directory to indicate that point.??
My comments are "my" thoughts, which indeed the linux expert who checked
your system should have checked as well.
Its very easy to talk about a problem "after" we have had time to think,
your friend the expert possably did not have much time to do just that..
> One post I found in deja news suggested a hacker might have done this, but
> we have no other evidence of a hacker. I also found out later that the
> machine had been inadvertantly restarted without being properly shut
> down--perhaps this was the cause of the screwed-up login file. However, I
> have had my machine shutdown from power failures before an not had this
> problem arise afterward.
>
> Has anyone had this problem before, and does anyone have an idea was to
> what might have caused this large corrupted login file? I would like to
> know how to avoid it in the future.
>
> Thanks for your help!
>
> -Ken
>
--
Regards Richard.
[EMAIL PROTECTED]
Merry Xmas to all, and may all your troubles be small (ones).
