# Wtmp



## bamcis (Feb 1, 2010)

I have a server that is down due to, I believe, some nefarious activity. It no longer boots. Something is corrupted. I have several WTMP files that I would like to review. I have the hard drive, but not the server itself. I have come to find out that depending on the time of the server you read the WTPM file on the time zone changes. How do I determine the the original time the login/logout occured?

I do not know if the original server the WTMP's came from was set to UTC, EST, DST, PST, etc. Is there anyway to look at the WTMP and determine the correct time/time zone? Thanks in advance.


----------



## SirDice (Feb 1, 2010)

AFAIK the timestamps are unix time ticks and as such are UTC.


----------



## DutchDaemon (Feb 1, 2010)

I haven't investigated this at all, but I'd assume that the login/logout times are recorded in 'unix seconds', regardless of the time zone that the machine is actually in, or is configured to use (_these may differ_). 

When using 'last' (or 'last -f'), this timestamp will be translated into the _current_ machine's time zone setting. So if you're reviewing wtmp files from a machine that is in e.g. UTC + 2, on a machine that is in UTC + 3, you can simply subtract one hour from the reported time to get the actual time 'where the event happened'. 

It shouldn't matter which time zone the original machine was set to, so long as you know which time zone it is actually *in*, and which time zone you're in, so you can work out the actual time when events happened.

Again: not investigated, this is my assumption.


----------



## bamcis (Feb 1, 2010)

Would you know how you would figure out a WTMP file from it's binary state (ie. Hex View)?


----------



## SirDice (Feb 1, 2010)

Most of the commands like who(1) and last(1) can load a different file.


----------



## DutchDaemon (Feb 1, 2010)

Yep, [cmd=]last -f /var/log/wtmp[/cmd] or [cmd=]last -f /var/log/wtmp.0[/cmd] or [cmd=]who /var/log/wtmp[/cmd] will work just fine.


----------



## bamcis (Feb 2, 2010)

I have made some progress. With some help from another, we have found the unsigned 32 bit value that shows me the date/time. It is in little endian and the following hex values produce the following date/time:


```
D5 0f F2 47 produces 04/26/2008 @ 16:15:13
```

I can not get ahold of who helped me with this. Des anyone know how to convert this HEX value to the date/time? Any help is greatly appreciated.


----------



## DutchDaemon (Feb 2, 2010)

Why are you poking around in hex when 'last' can read the file?


----------



## bamcis (Feb 3, 2010)

I am attempting to validate the information the command is giving is correct.


----------



## SirDice (Feb 3, 2010)

bamcis said:
			
		

> Des anyone know how to convert this HEX value to the date/time?


See ctime(3).


----------



## jalla (Feb 3, 2010)

SirDice said:
			
		

> See ctime(3).




```
tom:~# date -r `echo "16i47F20FD5p" | dc`
Tue Apr  1 12:35:01 CEST 2008
```


----------

