0

The server is Ubuntu 11.10.

When I issue the "last" command from the command line, it gives the following output:

# last
last: read failed!

wtmp begins Fri Apr 18 15:47:48 2014

This I suspect is happening after a probable hacking attempt on the server, which we have dealt with now. But the "last" command continues not to work. I suspect the hacker disabled this command from working, so that they could cover their trails.

The question is why the command doesn't work and how do I get it fixed so that it works as intended?

Thanks for your expert insight.

jark
  • 23
  • 4
  • 2
    You know 11.10 is outside of security support right? You really should be planning on upgrading/reinstalling soon. – Zoredache May 29 '14 at 16:51
  • 1
    Yes, and "probable hacking attempt" isn't a right sentence for this when you got your wtmp files messed up already (you got hacked). – phoops May 29 '14 at 16:52
  • @edvinas.me I would look for more evidence before jumping to conclusions. A corrupted `wtmp` file could have been caused by a hardware failure. – kasperd May 29 '14 at 16:57
  • well it was a directory instead of a file (from the comments in my provided answer) – phoops May 29 '14 at 16:58
  • Why the down vote on the question? Beats me. I had posted the question because I wasn't able to find the solution within my scope of knowledge or online. So I posted this asking for help. – jark May 29 '14 at 20:03
  • @Zoredache - yes, I am planning to upgrade the OS. I hope there is a command line way to do that. Let me look into it. – jark May 29 '14 at 20:05

1 Answers1

0

This is due to corrupt wtmp or utmp files. As it is possible these got cleared and their permissions reset, I would backup the current ones and reset them. This can be done by cat /dev/null and directing output to the files.

The last command should pickup the new files upon reboot.

phoops
  • 2,073
  • 4
  • 18
  • 23
  • Hi, thanks for the feedback. Is the wtmp file under /var/log. That is where it found when I did a locate. But I am rather surprised to find that wtmp is a directory under /var/log and not a file. It is an empty directory though. So do I just remove it and then create a file /var/log/wtmp as root? What does cat /dev/null > /var/log/wtmp do differently as opposed to creating a file using touch /var/log/wtmp? – jark May 29 '14 at 16:46
  • It depends on distribution. On my system they are also in `/var/log`. `wtmp` should be a `file` really. This probably gives you problems, as you cant have a file and a folder with a same name. First try creating an empty file (after you remove the directory). Don't reset `utmp` as it might not be necessary – phoops May 29 '14 at 16:47
  • I guess the hackers are just playing games by manipulating the files. So I removed the directory /var/log/wtmp and created a file /var/log/wtmp. Now last command does not given that "read failed" error. Rather it displays an empty output. So I hope it would start working after the next rebbot a(as you have mentioned)? – jark May 29 '14 at 16:52
  • well it is working already. It logs all logins to the system and your log is clear. – phoops May 29 '14 at 16:53
  • if you login/logout you should see the new entries. – phoops May 29 '14 at 16:54
  • You are right. I am able to see the new entries now. That is good. So there is no way to restore the history of the last several login attempts, is it? That is the very first thing the hackers disable on getting into a server? Once it is lost, it is lost forever? – jark May 29 '14 at 17:12
  • Well the file is deleted. You can try usual deleted file recovery tools to try and recover it. – phoops May 29 '14 at 17:14