Il 12:11, mercoledì 21 novembre 2001, Bart Frackiewicz ha scritto:
Hi,
i got the same here:
bf pts/0 195.158.139.82 Wed Nov 21 12:02 still logged in bf pts/0 195.158.139.82 Tue Nov 20 17:51 - 17:52 (00:01) bf pts/0 pd9521b95.dip.t- Tue Nov 20 07:44 - 07:48 (00:03) bf pts/0 pd9521b95.dip.t- Tue Nov 20 07:36 - 07:42 (00:06) X**** ****X******* Thu Jan 1 01:00 still logged in bf pts/0 pd952148a.dip.t- Mon Nov 19 19:04 - 19:10 (00:06) root pts/0 eth0.gw-ma-a.ka. Mon Nov 19 17:30 - 17:39 (00:09) bf pts/0 195.158.139.82 Mon Nov 19 16:39 - 17:11 (00:32) bf pts/0 195.158.139.82 Mon Nov 19 14:02 - 14:11 (00:09) K* ****X******* Thu Jan 1 01:00 - 01:00 (00:00) bf pts/0 pd9521480.dip.t- Sun Nov 18 11:59 - 12:04 (00:05) bf pts/0 pd9521396.dip.t- Sat Nov 17 14:28 - 14:40 (00:12) lz pts/0 d20.dip.geneos.d Sat Nov 17 12:34 - 12:37 (00:02)
also running SuSE 7.2.
Thanks for any ideas.
Bart Frackiewicz PGP Key ID: 0xBFB9C517
-----Original Message----- From: suse-security-return-10379-bart.frackiewicz=evercom.de@suse.com [mailto:suse-security-return-10379-bart.frackiewicz=evercom.de @suse.com] On Behalf Of Dirkes Guido Sent: Wednesday, November 21, 2001 9:49 AM To: Security Mailing Liste Subject: [suse-security] Strange last entries today I found some strange last entries on several of our machines. Does anybody have an idea what has happend? We are running SuSE 7.2.
dirkes pts/0 ikcms01.fzk.de Wed Nov 21 10:59 still logged in weiler pts/0 ikcmsp01.fzk.de Wed Nov 21 10:51 - 10:58 (00:07) ******** ************ **************** Thu Jan 1 01:00 still logged in simonis pts/3 ikcms14.fzk.de Tue Nov 20 18:45 - 18:50 (00:04)
<snip>
Guys, I had the same entries. Running chkwtmp-1.0 I have found out that there were some deleted entries in wtmp. So I reinstalled everything:-/ And I cant help you anymore. I am running Suse 7.1 btw. Please check chkrootkit also, it could say if you have a rootkit. Now I have only a report of deleted entries (Which I have already emailed to this list), but It looks I do not have any rootkit running. Tripwire says there is not everything wrong. So if someone finds out that this is a bug, not a crack, please let me know! Praise Prise