Patrick Wiseman wrote: > I manage a virtual machine remotely, running Debian stable. Recently, > both 'w' and 'who' were reporting zero users. The machine had been up > for 141 days, so I did 'sudo shutdown -r now' and returned to it a few > minutes later, when 'w' and 'who' reported appropriately. Is this any > cause for concern?
I would suspect a system problem more than a break-in. The w and who commands simply dump the contents of the /var/run/utmp file. Does that file exist for you and does it have the correct permissions? Here is an example from my system. $ ls -l /var/run/utmp -rw-rw-r-- 1 root utmp 24960 Jan 14 14:32 /var/run/utmp That file is created at boot time by /etc/init.d/bootmisc.sh linked to the /etc/rcS.d/S??bootmisc.sh symlink in the tmpfs partitions. It is tmpfs and always starts empty at boot time. If that file does not exist then check that the symlink for it is installed. If it is not installed then check all of the init links as others may be missing too. $ ls -l /etc/rcS.d/S??bootmisc.sh Bob
signature.asc
Description: Digital signature
