Hello friends, I getting scared when I read the following lines on my "last": pep@montblanc:~> last pep pts/1 Sun Feb 2 20:02 still logged in pep pts/0 Sun Feb 2 20:00 still logged in P***(*** ****P***h*** ********P******* Thu Jan 1 01:00 gone - no logout pep pts/2 Sat Feb 1 23:43 - 23:44 (00:00) pep pts/2 Sat Feb 1 23:35 - 23:37 (00:01) pep pts/1 Sat Feb 1 23:34 - 23:44 (00:10) simon pts/0 pooladsl-a-25-7. Sat Feb 1 22:55 - 01:14 (02:19) camio pts/0 Sat Feb 1 20:59 - 21:55 (00:55) P***h*** ****P***(*** ***** Thu Jan 1 01:00 gone - no logout ... Anyone has any idea where does it come from? I'm going to research in detail in every log file. Any suggestions about what to look for? Thanks, Pep.
Sounds very spooky, but which console ...
pep@montblanc:~> last pep pts/1 Sun Feb 2 20:02 still logged in pep pts/0 Sun Feb 2 20:00 still logged in P***(*** ****P***h*** ********P******* Thu Jan 1 01:00 gone - no logout pep pts/2 Sat Feb 1 23:43 - 23:44 (00:00) pep pts/2 Sat Feb 1 23:35 - 23:37 (00:01) pep pts/1 Sat Feb 1 23:34 - 23:44 (00:10) si mon pts/0 pooladsl-a-25-7. Sat Feb 1 22:55 - 01:14 (02:19) camio pts/0 Sat Feb 1 20:59 - 21:55 (00:55) P***h*** ****P***(*** ***** Thu Jan 1 01:00 gone - no logout
pts/x means from remote via ssh. plz be more precise. Is he/she in your /etc/passwd ??? better make a lastlog>out.txt and a http://www.chkrootkit.org/ or a http://www.rwth-aachen.de/security/s30.html (sorry this is in german) !!! Philippe
Hey!
I've got similar entries in my wtmp, too!!! Looks like this:
?***?*** ******G**> ***********;*0* Sat Sep 16 02:00 still
logged in
******O= *****&**?** **^******s5y*_ Fri Oct 4 03:00 still
logged in
**S5**** ****f**!**s* R*O)***kky*U***Y Wed Jul 4 20:37 still
logged in
?**R**> ***2*b***^}* f*5********%5*U* Thu Aug 31 22:24 still
logged in
*"~*gi** **g***;***** ***Q**J--***** Mon Mar 17 07:18 still
logged in
*****/*j *********BX* **F5*****(***^*O Tue Dec 17 02:23 still
logged in
**.**n** **?
******.J **,k~***e**~**!* Fri Jun 7 13:37 still logged in
*K*:**~* ****?<***l* **}*ak*5**5*j** Sun Apr 3 14:53 still
logged in
*****4!) Q*b****YA**F ***?/u*********& Thu Jan 21 18:52 still
logged in
U******r ******a***** 8**$**H***/'**** Tue Apr 3 03:58 still
logged in
The system is SuSE 7.3, kernel 2.4.10 (yes, know it's a bit old
now)...
And another one with SuSE 8.0 2.4.18-4GB shows:
****`*** `*******`*** ****`*******`*** Thu Jan 1 01:00 gone
- no logout
Any ideas?
Eduard
--- Philippe Vogel
Sounds very spooky, but which console ...
pep@montblanc:~> last pep pts/1 Sun Feb 2 20:02 still logged in pep pts/0 Sun Feb 2 20:00 still logged in P***(*** ****P***h*** ********P******* Thu Jan 1 01:00 gone - no logout pep pts/2 Sat Feb 1 23:43 - 23:44 (00:00) pep pts/2 Sat Feb 1 23:35 - 23:37 (00:01) pep pts/1 Sat Feb 1 23:34 - 23:44 (00:10) si mon pts/0 pooladsl-a-25-7. Sat Feb 1 22:55 - 01:14 (02:19) camio pts/0 Sat Feb 1 20:59 - 21:55 (00:55) P***h*** ****P***(*** ***** Thu Jan 1 01:00 gone - no logout
pts/x means from remote via ssh. plz be more precise. Is he/she in your /etc/passwd ???
better make a lastlog>out.txt and a http://www.chkrootkit.org/ or a http://www.rwth-aachen.de/security/s30.html (sorry this is in german) !!!
Philippe
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Eduard Avetisyan wrote:
Hey!
I've got similar entries in my wtmp, too!!! Looks like this:
U******r ******a***** 8**$**H***/'**** Tue Apr 3 03:58 still logged in
The system is SuSE 7.3, kernel 2.4.10 (yes, know it's a bit old now)...
And another one with SuSE 8.0 2.4.18-4GB shows: ****`*** `*******`*** ****`*******`*** Thu Jan 1 01:00 gone - no logout
Any ideas?
let me guess: you use reiserfs, right? if yes, it's known that wtmp gets corrupted their. Regards, Sven
Hello Another suser also wrote me with the same conclusion. But I still don't see a clue between reiser and wtmp. I've been searching in the list archives and I didn't find any mention. Could anyone point me to a piece of doc, link, email, anything where I can read about it? Cheers, Pep Serrano.
Eduard Avetisyan wrote:
Hey!
I've got similar entries in my wtmp, too!!! Looks like this:
U******r ******a***** 8**$**H***/'**** Tue Apr 3 03:58 still logged in
The system is SuSE 7.3, kernel 2.4.10 (yes, know it's a bit old now)...
And another one with SuSE 8.0 2.4.18-4GB shows: ****`*** `*******`*** ****`*******`*** Thu Jan 1 01:00 gone - no logout
Any ideas?
let me guess: you use reiserfs, right? if yes, it's known that wtmp gets corrupted their.
Hello all back again Problem identified: finally I found this is a bug in netdate. Nothing about reiserfs... Regards, Pep Serrano. On Monday 03 February 2003 17:11, Pep Serrano wrote:
Hello
Another suser also wrote me with the same conclusion. But I still don't see a clue between reiser and wtmp. I've been searching in the list archives and I didn't find any mention.
--- Sven 'Darkman' Michels
Hey!
I've got similar entries in my wtmp, too!!! Looks like this:
U******r ******a***** 8**$**H***/'**** Tue Apr 3 03:58 still logged in
The system is SuSE 7.3, kernel 2.4.10 (yes, know it's a bit
Eduard Avetisyan wrote: old
now)...
And another one with SuSE 8.0 2.4.18-4GB shows: ****`*** `*******`*** ****`*******`*** Thu Jan 1 01:00 gone - no logout
Any ideas?
let me guess: you use reiserfs, right? if yes, it's known that wtmp gets corrupted their.
Only half true :) On the first one (7.3) I use ext2, and the problem is VERY much similar... It's apparently not a filesystem problem, and, as the kernels are also different, not a bug of a specific kernel version... BTW, both machines have an average uptime of 1-2 months, so it's not likely that wtmp get's corrupted due to system hangs or crashes (corrupted entries appear far more often then reboots, I mean)... May someone from SuSE join this discussion? Thanks Eduard __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
let me guess: you use reiserfs, right? if yes, it's known that wtmp gets corrupted their.
Only half true :) On the first one (7.3) I use ext2, and the problem is VERY much similar... It's apparently not a filesystem problem, and, as the kernels are also different, not a bug of a specific kernel version... BTW, both machines have an average uptime of 1-2 months, so it's not likely that wtmp get's corrupted due to system hangs or crashes (corrupted entries appear far more often then reboots, I mean)...
May someone from SuSE join this discussion?
Thanks Eduard
I had the same problem one year ago with Suse 7.1. After some investigation I found out the Loki rootkit installed on my system. Maybe this is not related, but you might want to check. Praise
Hi Roland,
I had the same problem one year ago with Suse 7.1. After some investigation I found out the Loki rootkit installed on my system. Maybe this is not related, but you might want to check.
Can you describe a simple'n'fast way to check it? Just to save time searching in google :) thanks Eduard P.S. Seems that this particular problem is already solved - netdate's to be blamed. Guess one should expect a patched version soon... __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Eduard Avetisyan wrote:
Hi Roland,
I had the same problem one year ago with Suse 7.1. After some investigation I found out the Loki rootkit installed on my system. Maybe this is not related, but you might want to check.
Can you describe a simple'n'fast way to check it? Just to save time searching in google :)
www.chkrootkit.org
thanks Eduard P.S. Seems that this particular problem is already solved - netdate's to be blamed. Guess one should expect a patched version soon...
whats about ntpdate? should work better ...
found out the Loki rootkit installed on my system. Maybe
Hi Sven, this
is not related, but you might want to check. Can you describe a simple'n'fast way to check it? Just to save time searching in google :) www.chkrootkit.org
thx! I'm clean :)
P.S. Seems that this particular problem is already solved - netdate's to be blamed. Guess one should expect a patched version soon...
whats about ntpdate? should work better ... Sorry, typo... netdate, should've written. It corrupts the wtmp, apparently (see above in the thread)...
Ciao Eduard __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Eduard Avetisyan wrote:
whats about ntpdate? should work better ...
Sorry, typo... netdate, should've written. It corrupts the wtmp, apparently (see above in the thread)...
nah, you should use ntpdate instead of netdate: "netdate" will set ANY time it receives and "ntpdate" will validate the time and moves the clock slowly to the right time That was what i mean ;)
"ntpdate" will validate the time and moves the clock slowly to the right time
Not in the default SuSE setup (rcxntpd start), and only if you use appropriate command line args, otherwise it will bang the new time into the system as fast as it can. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
* Eduard Avetisyan wrote on Mon, Feb 10, 2003 at 11:51 -0800:
www.chkrootkit.org
thx! I'm clean :)
You mean, you don't know for sure that you're infected. Just BTW :) SCNR. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi all,
I'm trying to use openLDAP as NIS replacement. This is working fine. The
Server is listening on LDAP and LDAPS and the clients are configured to
use LDAPS. So far it is running.
If I got this right, LDAPS is not the recomanded method for tls, but
start_tls is.
I have tried to use start_tls in a perl script, and get only unencrypted
connections. Making a perl script as simple as possible I found $test to
be "2" (LDAPv2) which resultes in an error trying Start_tls. The script
is:
#!/usr/bin/perl -w
use Net::LDAP;
$ldap = Net::LDAP->new('buddy.io-software.com') or die "$@";
$test = $ldap->version() ;
print " $test \n";
but from /usr/sysconfig/openldap I thought it should be 3 (LDAPv3) for
openldap Versions > 2:
#
# If set to "yes" the "ldap over ssl" feature of slapd will be enabled.
Don't
# forget to add the "TLSCertificateFile" and "TLSCertificateKeyFile"
options
# to the /etc/openldap/slapd.conf (man slapd.conf).
# Note: Don't confuse this with "START_TLS", the preferred method for
# making encrypted LDAP connections, which is enabled as soon as
You
# specify "TLSCertificateFile" and "TLSCertificateKeyFile" in your
config
# file
#
and rpm gives:
#rpm -qi openldap2
Name : openldap2 Relocations: (not
relocateable)
Version : 2.1.4 Vendor: SuSE Linux AG,
Nuernberg, Germany
Release : 68 Build Date: Thu Dec 12
13:53:46 2002
Install date: Thu Jan 23 16:05:23 2003 Build Host: wiles.suse.de
Group : Productivity/Networking/LDAP/Servers Source RPM:
openldap2-2.1.4-68.src.rpm
Size : 6406919 License: Other
License(s), see package
Packager : http://www.suse.de/feedback
Summary : The new OpenLDAP Server (LDAPv3)
Description :
The Lightweight Directory Access Protocol (LDAP) is a protocol for
accessing online directory services. It runs directly over TCP, and
can be used to access a standalone LDAP directory service or to access
a directory service that is back-ended by X.500
Authors:
--------
Kurt Zeilenga
Hi, Thomas Kerkau wrote:
Hi all,
I'm trying to use openLDAP as NIS replacement. This is working fine. The Server is listening on LDAP and LDAPS and the clients are configured to use LDAPS. So far it is running. If I got this right, LDAPS is not the recomanded method for tls, but start_tls is.
I have tried to use start_tls in a perl script, and get only unencrypted connections. Making a perl script as simple as possible I found $test to be "2" (LDAPv2) which resultes in an error trying Start_tls. The script is:
#!/usr/bin/perl -w use Net::LDAP; $ldap = Net::LDAP->new('buddy.io-software.com') or die "$@"; $test = $ldap->version() ; print " $test \n";
but from /usr/sysconfig/openldap I thought it should be 3 (LDAPv3) for openldap Versions > 2:
Well, start_tls is an extended operation and isn't even supported in LDAPv2, so if the server thinks you are using that, start_tls will fail. You might wanna try telling the server that you are using v3, something like: $ldap = Net::LDAP->new($host,version=>3,port=>389,timeout=>20); if ($ldap==0) { return "ERROR connecting to LDAP server"; } $ldap->start_tls(sslversion=>sslv3); # this should start tls, no verify my $returnvalue=$ldap->bind("cn=$user,ou=$organizationalUnit,$searchbase",password=>$pwd) || return "can't bind"; $ldap->unbind(); # unbind & disconnect $returnvalue->code && return $returnvalue->error; # return errormessage on failure return undef; # undef=success (you need to feed it host, user, organizationalUnit, searchbase and password) HTH Stefan
participants (9)
-
Eduard Avetisyan -
Pep Serrano -
Philippe Vogel -
Roland Freeman -
Stefan Suurmeijer -
Steffen Dettmer -
Sven 'Darkman' Michels -
Thomas Kerkau -
Volker Kuhlmann