Well, I'm no expert, but your problems may be due to the fact that the old
login file is broken and is writing an incorrect log (/var/log/utmp and wtmp).
The "who" command uses these logs and so does the finger daemon.
You haven't really provided much information to work with, but my hypothesis is
that someone broke into your system and installed a new "/bin/login" to ensure
himself a permanent back door. The cracker could have made a mistake when
compiling or editing his "login" program, resulting in the errors which you
have noticed. This may also account for the large size of "/bin/login" (did you
keep a copy?).
If you have kept the old "login" file and the relevent logs, you could try
analysing them. Also, the strange output of "last" seems suspicious and deserve
looking into. You might also want to look through your other programs,
especially the suid programs and daemons that are executed by root for signs of
tampering. If you have kept a checksum of all the programs, it would come in
handy now. If not, you may have to depend on the modification date. Setting a
few well hidden traps for potential crackers may also be a good idea.
Ofcourse, it's also possible that the "login" program is damaged during the
improper shutdown, but personally, I feel that the chances of the login program
being damaged by a file-system error and still be able to run is quite small.
It usually helps to assume the worst, and the checks that I've recommanded are
generally quite simple.
On 13-Dec-98 Ken Russell wrote:
> This week my system had a problem, and although it is now solved, I would
> like to know if anyone can explain it to me.
>
> On a Monday afternoon it was reported to me that who and finger were not
> working, although users could login and access their accounts. I also found
> that when I used the "last" command, the output was rather stange, with
> many login dates showing Dec. 31.
>
> I consulted with a local Linux administrator who spent some time looking
> into the problem with me looking over his sholder. He found that the
> /bin/login file was very large. He copied the same file from another linux
> box that was not having this problem in to the one that was (replacing the
> old one), and voila! Everything worked fine. Musta been the login file. But
> why?
>
> One post I found in deja news suggested a hacker might have done this, but
> we have no other evidence of a hacker. I also found out later that the
> machine had been inadvertantly restarted without being properly shut
> down--perhaps this was the cause of the screwed-up login file. However, I
> have had my machine shutdown from power failures before an not had this
> problem arise afterward.
>
> Has anyone had this problem before, and does anyone have an idea was to
> what might have caused this large corrupted login file? I would like to
> know how to avoid it in the future.
>
> Thanks for your help!
>
> -Ken
Cort
[EMAIL PROTECTED]
