named 9.6.1 Filling wtmp

David Kreindler david at govnet.state.vt.us
Fri Jan 22 15:15:18 UTC 2010


On 22 Jan 2010, at 7:25 AM, David Kreindler wrote:

> On 21 Jan 2010, at 7:21 PM, Mark Andrews wrote:
> 
>> In message <6B845B73-065F-4E8B-AFA5-408ECDBE7724 at govnet.state.vt.us>, David Kre
>> indler writes:
>>> We have BIND 9.6.1-P3 running on several AIX 5.3 servers. On one of them, nam
>>> ed is filling /var/adm/wtmp with numerous entries like the following.
>> 
>> This is not named (the program).  It may be "su" or some other process that
>> is logging changes in uid.  Or it could be someone login in as the user
>> "named".
>> 
>> Mark
>> 
>>> user pts/1 pts/1 7 1327240 0000 0000 1264089183 host-NN.domain Thu Jan 21 10:
>>> 53:03 EST 2010
>>>    named       8 2572472 0000 0000 1264089217                Thu Jan 21 10:
>>> 53:37 EST 2010
>>>    named       8 2572472 0000 0000 1264089217                Thu Jan 21 10:
>>> 53:37 EST 2010
>>>    named       8 0000 0000 1264089277                Thu Jan 21 10:
>>> 54:37 EST 2010
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
> There is no user 'named' on this system.
> 
>    # su - named
>    3004-500 User "named" does not exist.
> 
> It appears to be the process 'named', but we do not understand what is causing it to be logged in wtmp constantly.

It looks as though the problem was in the AIX accounting system. Somehow it kept logging PID 2572472 (which did not exist) as a dead process. A restart corrected the problem.

We are not sure if the fact that the process appeared to be the BIND daemon (named) was incidental.




More information about the bind-users mailing list