Linux utmp, wtmp, btmp

/var/run/utmp => shows who is currently connected to the system. Not all the programs use utmp, thus you can have more users connected than displayed in utmp.

/var/log/wtmp => is an historical record of utmp data

/var/log/btmp => record of failed attempts

last and lastb commands

These files are in binary format and can be consulted via command last.

last will by default read the /var/log/wtmp file.

lastb will read the /var/log/btmp (failed attempts) and then display only the login failed attempts.

Some interesting options on the command ‘last’:

-f to specify the file to read
-x to display system shutdown and run level modifications (otherwise there are not displayed by default, for example ‘shutdown’ are not displayed but reboot are displayed)
-t YYYYMMDDHHMMSS to display connections that were alive at a specified date

$> last -f /var/log/wtmp

The equivalent of lastb:

$> last -f /var/log/btmp

See historic system shutdown and reboot:

$> last -x | grep 'reboot\|shutdown'
reboot   system boot  4.18.0-147.8.1.e Thu Jun 23 16:04   still running
reboot   system boot  4.18.0-147.8.1.e Tue May 10 17:06   still running
reboot   system boot  4.18.0-147.8.1.e Tue Apr 12 18:41   still running
reboot   system boot  4.18.0-147.8.1.e Tue Oct 26 18:34   still running
reboot   system boot  4.18.0-147.8.1.e Mon Aug  2 18:02   still running
shutdown system down  4.18.0-147.8.1.e Mon Aug  2 18:01 - 18:02  (00:00)
reboot   system boot  4.18.0-147.8.1.e Tue Jul 27 10:58 - 18:01 (6+07:03)
shutdown system down  4.18.0-147.8.1.e Tue Jul 27 10:58 - 10:58  (00:00)

To display which users were connected at the first of january 2022 11h10m50s (system reboot are also displayed):

$> last -t 20220101101050

To display root logged in historic:

$> last root

To display root logged in failed attempts:

$> lastb root

Anti-forensics – utmp, wtmp, and btmp log tampering

These logs file can be modified.

First you convert the binary file in a text file:

$> utmpdump /var/log/wtmp > /var/log/wtmp.txt

Then you modify the file and you convert it back to the binary format:

$> utmpdump  -r </var/log/wtmp.txt >/var/log/wtmp

Detect log tampering

When you remove a line from the humand readable file (the previous wtmp.txt for instance) to hide a connection, and after you convert it back to the binary format with utmpdump, and finaly convert it again in txt file, you’ll see zero values and bad time stamps in the place of the removed lines (they have been recreated by utmp).

These time stamps are “epoch time”: 00:00:00 UTC on 1 January 1970

Then you can detect it with:

$> utmpdump /var/run/utmp | grep "\[0\].*1970-01-01" 
$> utmpdump /var/log/wtmp | grep "\[0\].*1970-01-01" 
$> utmpdump /var/log/btmp | grep "\[0\].*1970-01-01"

To estimate when the log tampering happened you only can verify the timestamps before and after the epoch time.

Here another source about it.

Note book to help you and me remember some tricks

last and lastb commands

Detect log tampering

nicodevlog

Leave a Reply Cancel reply

Recent Posts

Recent Comments

Archives

Categories