> I don't think anyone broke into my machine but now my utmp and wtmp files
> are corrupted, I get wierd records of logons and who is on, like this:
> it used to read just fine, any ideas?
Not really, sorry. (I probably wouldn't even be responding if you hadn't
copied your message to me specifically :) )
A few random thoughts:
* It could be a random disk error. Are you sure that both utmp *and* wtmp
are corrupted? "last" uses wtmp (historical data), while programs like
"who" use utmp. A disk error is kind of unlikely to affect *both* files,
unless you've lost a whole lot of other files too.
* If you want to look into the potential security violation a bit more,
check your "messages" and "secure" logs to see if they report any unusual
telnets (etc). If someone purposely destroyed wtmp, they'd probably
purposely destroy "messages" as well, but it's worth a try.
* If you're feeling adventurous, I'll send you some utmp/wtmp-reading
source code that might let you (manually) figure out precisely where the
file or files went bad.
Good luck,
Shawn