Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: Guido Tschakert <gt@xxxxxxxxxxx>
  • Date: Thu, 3 Jan 2002 18:02:53 +0100
  • Message-id: <E16MBDh-0005KI-00@xxxxxxxxxxxxxxxxxxxxxxxx>
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
> Praise wrote:
> > Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
> > > Hi,
> > > wenn i just checked users login with last, i found this entry
> > >
> > > ***** p*******p*** Thu Jan 1 01:00 still logged
> > > in
> > >
> > > and user ***** is not known to me. the prozess table didn't show any
> > > strange thing so am I hacked or what does it mean?
> > > Any ideas welcome!
> > >
> > > bye
> > > Marc
> >
> > I have been told this is a reiserFS corruption problem... do you use it?
> >
> > Praise
>
> Hi Praise,
> yes i did, but i changed it about 1 month ago. Are you really sure or
> where can i get some informations about it? It would be too great.
> thanks
> Marc
I have a lot of silly things in the output of last:
low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:-
*mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:-
-include s.h h Wed Oct 17 08:26 - crash (-10200+-17:
****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in
cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:-
llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:-
*i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-

and for what praise said: I'm using reiserfs.
Seems to me a problem with the filesystem and the format of wtmp, have there
been a new version of reiserfs or last between SuSE7.2 and SuSE7.3?
I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also
not on all 7.3 (but most)

Is there anyone having some more ideas.

Another possibility is: the rootkit of the cracker is a little bit rotten, in
particular the part for last.
--
------------------
Guido Tschakert
Sys-Ad, SRC
------------------

< Previous Next >
References