i am cracked :-(

Capt_Caveman · 07-05-2003, 07:25 PM

Wow, that is pretty strange. It sounds more like a bug than anything else. I double checked the bugzilla database and there is a bug reported, but it is associated with the last -i command. Try that and if you see that same ip address, it's the same bug (in SysVinit). Bet you went WTF when you saw that entry even with it not connected to anything. I think this is the bug (I believe the same one adme pointed out) in case your interested.

https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540

adme · 07-06-2003, 07:26 AM

make a bug report @ bugzilla.redhat.com

i am sure, this is a bug. Please send me the link

kind regards

adme

fanton · 07-06-2003, 07:10 PM

Ok, so I've confirmed the tests in other machines and the problem is reproductible. It's now officialy a bug...

It's reported in Bugzilla #98659 and is probably related to the one reported under #82540 as noticed by Capt. Caveman. (Thanks!)

https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659

Thank you too adme!

Ufff... I fell reliefed now that I know that my system was not invaded!

jonathon · 07-18-2003, 12:30 PM

hello fanton.
You might be interested to see the output for utmpdump /var/log/wtmp | grep 127 on my machine... note my "rogue" ip number is 127 not 128 as with your machine.

Code:

# utmpdump /var/log/wtmp | grep 127
Utmp dump of /var/log/wtmp
[7] [01129] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Mon Jul 14 03:14:07 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Mon Jul 14 09:22:39 2003 EST]
[7] [01078] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Mon Jul 14 11:42:00 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Mon Jul 14 18:31:36 2003 EST]
[7] [07521] [:0 ] [suzanne ] [:0 ] [ ] [127.255.248.88 ] [Mon Jul 14 18:32:06 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Mon Jul 14 19:22:17 2003 EST]
[7] [12822] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Tue Jul 15 00:21:02 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Tue Jul 15 16:46:38 2003 EST]
[7] [00936] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Wed Jul 16 16:51:58 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Wed Jul 16 20:25:43 2003 EST]
[7] [00933] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Thu Jul 17 01:43:09 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Thu Jul 17 03:14:07 2003 EST]
[7] [00951] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Thu Jul 17 12:46:02 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Thu Jul 17 15:01:24 2003 EST]
[7] [01050] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Thu Jul 17 18:55:55 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Thu Jul 17 23:41:14 2003 EST]
[7] [04860] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Thu Jul 17 23:41:27 2003 EST]
[8] [00000] [:0 ] [        ] [:0 ] [ ] [127.255.248.40 ] [Fri Jul 18 15:03:58 2003 EST]
[7] [00953] [:0 ] [jonathon] [:0 ] [ ] [127.255.248.88 ] [Fri Jul 18 22:59:27 2003 EST]

The pattern is similar.. same (almost) logins on [7] and [8] lines and from terminal :0

step 2 in your instructions at bugzilla is -
2. look at wtmp using 'utmdump /var/log/wtmp | grep 128.99
This is not necessarily so.. the number on my machine is 127... not 128.... maybe you should revise your bugzilla submission?

I'm using yellowdog (3.0) on ppc with dialup connection.. doesn't seem to matter if I'm connected or not, still get the logins.

fanton · 07-18-2003, 02:46 PM

Hi, Jonathon

Thanks for your note. I've already updated the bugzilla submission (although no one seems to have looked at it yet!).

The problem seems to happen once at every boot. You may check if it's what happens in your case too.

Robert0380 · 07-19-2003, 12:37 PM

[post deleted, contained no useful info]