hi there! i've got a server running SuSE 6.4 (Kernel 2.2.17) and since about 2 months, 'last' is showing me a very strange output like this: user ftpd22132 host Sun Sep 10 20:18 - 20:18 (00:00) user ftpd22129 host Sun Sep 10 20:15 - 20:17 (00:01) user pts/0 host Sun Sep 10 20:10 - 20:11 (00:00) user pts/0 host Sun Sep 10 16:03 - 16:04 (00:00) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - down (9654+08:44) user pts/1 host Sat Sep 9 18:54 - 19:03 (00:08) user pts/0 host Sat Sep 9 18:46 - 21:01 (02:15) user pts/0 host Sat Sep 9 18:29 - 18:39 (00:09) user ftpd18251 host Sat Sep 9 16:24 - 16:39 (00:14) user pts/0 host Sat Sep 9 16:22 - 16:24 (00:02) ****X*** X*******X*** 15529 Thu Jan 1 01:00 - 02:44 (1557+01:44) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - 01:00 (-1557+-1:-4 user pts/0 host Fri Sep 8 01:23 - 01:27 (00:03) i really don't know where this "****X***" comes from. also take a look at the login time! another example: ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 still logged in ****X*** X*******X*** Thu Jan 1 01:00 - 02:44 (1557+01:44) ****X*** X*******X*** ****X*******X*** Sun Apr 7 02:44 - 01:00 (-1557+-1:-4 ****X*** X*******X*** ****X*******X*** Thu Jan 1 01:00 - 02:44 (1557+01:44) 5019 X*******X*** crt Thu Jan 1 01:00 still logged in but neiter lsof or netstat show me any strange things. could this be an attack? is it possible that someone broke into this system? or is anything else faulty? i dont't know... Yours -- Tobias Gewinner TMT interNETworks GmbH t.gewinner@tmt.de http://www.tmt.de