LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Why are there foreign IP network addresses in the output from "last -adix"??? (http://www.linuxquestions.org/questions/linux-security-4/why-are-there-foreign-ip-network-addresses-in-the-output-from-last-adix-4175440101/)

astanton 12-05-2012 03:56 AM

Why are there foreign IP network addresses in the output from "last -adix"???
 
Why do the psuedousers reboot, shutdown, and runlevel, show foreign IP network addresses in the host column of output from the "last -x" command?

For example, the following are excerpts from the output from "last -adix". Note that the non-priviliged users that logged on locally have IP addresses of 0.0.0.0, while the output from "last -adx" would have shown those entries as "localhost" instead.

Code:

runlevel (to lvl 3)  Wed Aug 22 08:53 - 16:28 (3+07:35)    16.208.13.0
reboot  system boot  Wed Aug 22 08:53        (3+07:35)    161.205.13.0
shutdown system down  Tue Aug 21 17:15 - 16:28 (3+23:12)    45.217.2.0
runlevel (to lvl 0)  Tue Aug 21 17:15 - 17:15  (00:00)    114.20.10.0
johndoe2 pts/16      Tue Aug 21 17:07 - 17:08  (00:01)    0.0.0.0
janedoe2 pts/16      Tue Aug 21 16:23 - 16:33  (00:09)    0.0.0.0
runlevel (to lvl 3)  Tue Aug 21 12:12 - 17:15  (05:03)    25.236.10.0
reboot  system boot  Tue Aug 21 12:12          (05:03)    217.233.10.0
shutdown system down  Tue Aug 21 12:11 - 17:15  (05:04)    127.101.2.0
runlevel (to lvl 6)  Tue Aug 21 12:10 - 12:11  (00:00)    35.54.10.0
runlevel (to lvl 3)  Tue Aug 21 12:05 - 12:10  (00:05)    96.49.0.0
reboot  system boot  Tue Aug 21 12:05          (00:05)    69.47.0.0
shutdown system down  Tue Aug 21 08:46 - 12:10  (03:23)    34.226.8.0
runlevel (to lvl 0)  Tue Aug 21 08:45 - 08:46  (00:01)    19.201.12.0

Here's another example of those foreign IPs, or 'hosts' as they're supposed to be, according to the man pages.

Excerpts from "last -adx" shows some ?network names? in the host entries column:


Code:

runlevel (to lvl 3)  Thu Nov  8 17:56 - 13:41 (6+19:44)    41-84-11-0-0.available.africainx.net
reboot  system boot  Thu Nov  8 17:56        (6+19:44)    213.81.11.0
runlevel (to lvl 3)  Thu Nov  8 12:39 - 17:56  (05:17)    228.65.14.0
reboot  system boot  Thu Nov  8 12:39        (7+01:01)    0-14.63-188.cust.bluewin.ch
shutdown system down  Thu Nov  8 12:38 - 13:41 (7+01:02)    2.6.33.4
runlevel (to lvl 6)  Thu Nov  8 12:38 - 12:38  (00:00)    249.87.1.0
root    tty1        Thu Nov  8 12:34 - down  (00:03)    localhost
runlevel (to lvl 3)  Sat Sep  1 15:51 - 17:10 (31+01:18)  207.228.13.0
reboot  system boot  Sat Sep  1 15:51        (31+01:18)  162.226.13.0
shutdown system down  Sat Sep  1 15:50 - 17:10 (31+01:19)  d58-104-12-0.sbr802.nsw.optusnet.com.au
runlevel (to lvl 6)  Sat Sep  1 15:50 - 15:50  (00:00)    207.57.8.0

While the output from "last -adix" shows only network numbers, in the hosts column for these same events:

Code:

runlevel (to lvl 3)  Thu Nov  8 17:56 - 13:41 (6+19:44)    41.84.11.0
reboot  system boot  Thu Nov  8 17:56        (6+19:44)    213.81.11.0
runlevel (to lvl 3)  Thu Nov  8 12:39 - 17:56  (05:17)    228.65.14.0
reboot  system boot  Thu Nov  8 12:39        (7+01:01)    188.63.14.0
shutdown system down  Thu Nov  8 12:38 - 13:41 (7+01:02)    192.77.9.0
runlevel (to lvl 6)  Thu Nov  8 12:38 - 12:38  (00:00)    249.87.1.0
root    tty1        Thu Nov  8 12:34 - down  (00:03)    0.0.0.0
runlevel (to lvl 3)  Sat Sep  1 15:51 - 17:10 (31+01:18)  207.228.13.0
reboot  system boot  Sat Sep  1 15:51        (31+01:18)  162.226.13.0
shutdown system down  Sat Sep  1 15:50 - 17:10 (31+01:19)  58.104.12.0
runlevel (to lvl 6)  Sat Sep  1 15:50 - 15:50  (00:00)    207.57.8.0


unSpawn 12-05-2012 06:49 AM

As for "-adx" vs "adix" IP addresses are resolved on the fly so any that aren't just aren't resolved AFAIK. What *is* interesting is that most IP addresses seem to be nnn.nnn.nnn.0 ones which does make me think of some parsing error. I vaguely remember an issue with Red Hat but that was ages ago.
- What OS is this?
- If Linux, which distribution + release + sysvinit package version (or whatever package contains the 'last' binary)?
- Does your distributions bug tracker show any problems with parsing wtmp?
- Did you notice any earlier problems with wtmp or btmp? (Have you checked previous ones?)
- Are any of the IP addresses familiar to you or are they logged in daemon logs or syslog? (Use a "nnn.nnn.nnn\.[0-9]\{1,3\}"-like regex to check?)


All times are GMT -5. The time now is 11:06 AM.