Wtmp

bamcis · Feb 1, 2010

I have a server that is down due to, I believe, some nefarious activity. It no longer boots. Something is corrupted. I have several WTMP files that I would like to review. I have the hard drive, but not the server itself. I have come to find out that depending on the time of the server you read the WTPM file on the time zone changes. How do I determine the the original time the login/logout occured?

I do not know if the original server the WTMP's came from was set to UTC, EST, DST, PST, etc. Is there anyway to look at the WTMP and determine the correct time/time zone? Thanks in advance.

SirDice · Feb 1, 2010

AFAIK the timestamps are unix time ticks and as such are UTC.

DutchDaemon · Feb 1, 2010

I haven't investigated this at all, but I'd assume that the login/logout times are recorded in 'unix seconds', regardless of the time zone that the machine is actually in, or is configured to use (these may differ).

When using 'last' (or 'last -f'), this timestamp will be translated into the current machine's time zone setting. So if you're reviewing wtmp files from a machine that is in e.g. UTC + 2, on a machine that is in UTC + 3, you can simply subtract one hour from the reported time to get the actual time 'where the event happened'.

It shouldn't matter which time zone the original machine was set to, so long as you know which time zone it is actually in, and which time zone you're in, so you can work out the actual time when events happened.

Again: not investigated, this is my assumption.

bamcis · Feb 1, 2010

Would you know how you would figure out a WTMP file from it's binary state (ie. Hex View)?

SirDice · Feb 1, 2010

Most of the commands like who(1) and last(1) can load a different file.

DutchDaemon · Feb 1, 2010

Yep, [cmd=]last -f /var/log/wtmp[/cmd] or [cmd=]last -f /var/log/wtmp.0[/cmd] or [cmd=]who /var/log/wtmp[/cmd] will work just fine.

bamcis · Feb 2, 2010

I have made some progress. With some help from another, we have found the unsigned 32 bit value that shows me the date/time. It is in little endian and the following hex values produce the following date/time:

Code:

D5 0f F2 47 produces 04/26/2008 @ 16:15:13

I can not get ahold of who helped me with this. Des anyone know how to convert this HEX value to the date/time? Any help is greatly appreciated.

DutchDaemon · Feb 2, 2010

Why are you poking around in hex when 'last' can read the file?

bamcis · Feb 3, 2010

I am attempting to validate the information the command is giving is correct.

SirDice · Feb 3, 2010

bamcis said:
Des anyone know how to convert this HEX value to the date/time?

See ctime(3).

jalla · Feb 3, 2010

SirDice said:
See ctime(3).

Code:

tom:~# date -r `echo "16i47F20FD5p" | dc`
Tue Apr  1 12:35:01 CEST 2008

Wtmp

bamcis

SirDice

Administrator

DutchDaemon

Administrator

bamcis

SirDice

Administrator

DutchDaemon

Administrator

bamcis

DutchDaemon

Administrator

bamcis

SirDice

Administrator

jalla