strange 'last' output
hi there! i've got a server running SuSE 6.4 (Kernel 2.2.17) and since about 2 months, 'last' is showing me a very strange output like this: user ftpd22132 host Sun Sep 10 20:18 - 20:18 (00:00) user ftpd22129 host Sun Sep 10 20:15 - 20:17 (00:01) user pts/0 host Sun Sep 10 20:10 - 20:11 (00:00) user pts/0 host Sun Sep 10 16:03 - 16:04 (00:00) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - down (9654+08:44) user pts/1 host Sat Sep 9 18:54 - 19:03 (00:08) user pts/0 host Sat Sep 9 18:46 - 21:01 (02:15) user pts/0 host Sat Sep 9 18:29 - 18:39 (00:09) user ftpd18251 host Sat Sep 9 16:24 - 16:39 (00:14) user pts/0 host Sat Sep 9 16:22 - 16:24 (00:02) ****X*** X*******X*** 15529 Thu Jan 1 01:00 - 02:44 (1557+01:44) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - 01:00 (-1557+-1:-4 user pts/0 host Fri Sep 8 01:23 - 01:27 (00:03) i really don't know where this "****X***" comes from. also take a look at the login time! another example: ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 still logged in ****X*** X*******X*** Thu Jan 1 01:00 - 02:44 (1557+01:44) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - 01:00 (-1557+-1:-4 ****X*** X*******X*** ****X*******X*** Thu Jan 1 01:00 - 02:44 (1557+01:44) 5019 X*******X*** crt Thu Jan 1 01:00 still logged in but neiter lsof or netstat show me any strange things. could this be an attack? is it possible that someone broke into this system? or is anything else faulty? i dont't know... Yours -- Tobias Gewinner TMT interNETworks GmbH t.gewinner@tmt.de http://www.tmt.de
hi there!
i've got a server running SuSE 6.4 (Kernel 2.2.17) and since about 2 months, 'last' is showing me a very strange output like this: [...] 5019 X*******X*** crt Thu Jan 1 01:00 still logged in
but neiter lsof or netstat show me any strange things. could this be an attack? is it possible that someone broke into this system? or is anything else faulty? i dont't know...
It looks like the /var/log/wtmp file (last uses this) is corrupted.
Perhaps, some process (login or friend...) wrote to it and left a mess.
You could try to set up a new one and see if it repeats. Such corruptions
do not happen very often and should therefore be treated seriously. On the
other hand, you can't really trust the information from /var/log/wtmp - an
intruder might have tampered the content.
Anyway: If you suspect a compromised system, you can't trust the output of
utilities like netstat and ps any more. A detailed analysis of the system
ingredients requires a trusted environment to work with...
Roman.
--
- -
| Roman Drahtmüller
participants (2)
-
Roman Drahtmueller
-
Tobias Gewinner