hi there!
i've got a server running SuSE 6.4 (Kernel 2.2.17) and since about 2 months, 'last' is showing me a very strange output like this: [...] 5019 X*******X*** crt Thu Jan 1 01:00 still logged in
but neiter lsof or netstat show me any strange things. could this be an attack? is it possible that someone broke into this system? or is anything else faulty? i dont't know...
It looks like the /var/log/wtmp file (last uses this) is corrupted.
Perhaps, some process (login or friend...) wrote to it and left a mess.
You could try to set up a new one and see if it repeats. Such corruptions
do not happen very often and should therefore be treated seriously. On the
other hand, you can't really trust the information from /var/log/wtmp - an
intruder might have tampered the content.
Anyway: If you suspect a compromised system, you can't trust the output of
utilities like netstat and ps any more. A detailed analysis of the system
ingredients requires a trusted environment to work with...
Roman.
--
- -
| Roman Drahtmüller