Is there a chance that this wtmp entry:
xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
1) Is caused by a 2.4.x kernel or system issue? or
It could very well be a hardware flaw. I think an acquaintance of mine had something pretty similar once and it turned out his cpu fan was defective and the cpu overheated. System crash on OS issues is possible as well. Without further inspection you can't be sure of what it is.
2) Is a half-failed login attempt? 3) An artifact of hitting the OOM wall and my kernel and killing the box?
I know it certainly looks like a hacker is logged in and trying to patch up wtmp, but I can't find other signs of trouble.
I have several suse 7.0 and 6.x boxes (various place in networks) that don't have this sign of problems. The person who first pointed this symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2.
I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings.
I did a tcpdump for 12hrs and checked all the packets. I don't see odd stuff. I'll start another tcpdump.
This box is behind a firewall set to deny all but 22,25,80.
It is a farily new install and I ran YOU when it was first installed (Sep 1) and installed all security patches for 7.2.
Personally, I think it's likely you are dealing with some kind of hardware/software problem, especially since you sound like you know what you are doing. I'd look into that first. That's the whole point of this thread I think: if you are unsure of what happened there isn't much use in just taking action (re-installing or otherwise).
eric
hth Stefan