Modify a line in wtmp – Linux Accounting

The /var/log/wtmp file in a Linux system contains data about past user logins.  An attacker may want to modify this file as one of the steps they take in covering their track.  One may also want to modify utmp or btmp as well.  This same technique can be used.

The wtmp log is a binary format and is owned by root:

It can be viewed using the last command, as shown below:

The utmpdump works great for this and may be on the image by default.  In this case, let’s say we want to remove the entry that shows user ken logged in from the console (tty1).  Here is how to do it:

Now, let’s take a look at the output again using the ‘last’ command:

Note that the line is now missing.  Of course, the timestamp on wtmp has also been updated, but that is a different issue:

 

 

Tagged , , , . Bookmark the permalink.
  • The postings and views on this site are my own and do not necessarily reflect the positions, strategies, or opinions of any current or previous employer.