In several suse 7.2 prof ( 4 machines), i have the same problem
----- Original Message -----
From: "Eric Whiting"
I saw a similar thing in my log yesterday.
ewhiting pts/0 laptop Tue Oct 9 19:22 - down (00:04) xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
I checked messages, /usr/sbin, /sbin, netstat. I did a 12 hr tcpdump to watch for unexpected traffic. I did not find anything that looked bad. I'm still a little uncertain about it.
My box is a suse 7.2. It sits behind a simple HW firewall. Only open ports on the FW are 22, 25, and 80.
Could this be a case of reiserfs corruption of the wtmp file?
eric
Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged
in
fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
Praise
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com