LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   is last -i showing remote user logged in? (https://www.linuxquestions.org/questions/linux-security-4/is-last-i-showing-remote-user-logged-in-297736/)

b_s 03-04-2005 05:20 PM

is last -i showing remote user logged in?
 
I just installed Suse 9.2, and it appears that I have a remote user logged in. Below is a sample from when I run last -i. When I checked the logs it looked as though someone was logging into or trying to log in using sshd, I removed that package. But the user is still there, logged into my username.
Is this something that Suse does? Am I reading the las command correctly?
The remote IP shows for any users that log into X. I am also behind a router that is not forwarding any ports. Any advice or help would be much appreciated http://images.linuxquestions.org/que...ons/icon10.gif

h_ pts/1 0.0.0.0 Fri Mar 4 10:33 still logged in
h_ pts/0 0.0.0.0 Fri Mar 4 10:30 still logged in
h_ :0 220.218.236.183 Fri Mar 4 10:30 still logged in
h_ pts/1 0.0.0.0 Fri Mar 4 10:05 - 10:06 (00:00)
h_ pts/0 0.0.0.0 Fri Mar 4 02:46 - 10:29 (07:43)
h_ :0 220.218.236.183 Fri Mar 4 02:45 - 10:29 (07:43)
h_ pts/2 0.0.0.0 Fri Mar 4 02:22 - 02:25 (00:02)
h_ pts/1 0.0.0.0 Fri Mar 4 02:19 - 02:31 (00:12)
h_ pts/0 0.0.0.0 Fri Mar 4 02:19 - 02:46 (00:26)
h_ :0 220.218.236.183 Fri Mar 4 02:19 - 02:37 (00:18)
root pts/1 0.0.0.0 Fri Mar 4 02:04 - 02:14 (00:09)
root pts/0 0.0.0.0 Fri Mar 4 02:04 - 02:18 (00:14)
root :0 220.218.236.183 Fri Mar 4 02:04 - 02:18 (00:14)

Matir 03-04-2005 05:35 PM

Is that IP part of your local network? (Some have world routable IPs). Also, have you checked those times against your own activity?

Dogit 03-04-2005 05:42 PM

Hello,b_s

Not sure if you like have a look here

http://www.linuxquestions.org/questi...hreadid=215431

@ Matir

Sorry did not see you there

Great day

b_s 03-04-2005 07:31 PM

it looks like that IP is logged in right when I log a user into X. I had only had Suse 9.2 installed for a day when I noticed this. I did see that ssh thread, if it guessed my password its become much better at getting in :-) Thanks for your replies, any other ideas??

Capt_Caveman 03-04-2005 11:07 PM

This is a known bug:

https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
http://bugs.mandrakelinux.com/query.php?bug=532

I personally submitted it to SuSE, but apparently they have better things to do like figure out how many shades of green they can make their website rather than respond to bug reports.

FWIW, the IP isn't quite random but has to do with kernel version (it's used as a place holder for the remote host in the utmp logging code).

b_s 03-04-2005 11:42 PM

THANK YOU Capt_Caveman!!!
I feel much better knowing that, if you do a whois on that IP it actually belongs to some hospital in china ... hopefully this bug will be resolved soon, doesnt look like its a priority to them though :)

Capt_Caveman 03-04-2005 11:57 PM

Quote:

Originally posted by b_s
THANK YOU Capt_Caveman!!!
I feel much better knowing that, if you do a whois on that IP it actually belongs to some hospital in china ... hopefully this bug will be resolved soon, doesnt look like its a priority to them though :)

lol. I remember the first time I saw it in Redhat, the IP resolved to a US Defense contractor (Northrop Grumman I believe), so there are probably tech support people all over the globe getting hate mail from people mistakenly thinking that they've been hacking them :rolleyes: . I know it's been resolved in Fedora Core 3, so hopefully newer releases from other distros should have it fixed as well.

Matir 03-05-2005 12:26 AM

Wow. Somebody's corrupting the utmp structures. :) How that one came out from a distro like SuSE is beyond me. I guess that's what you get when Novell buys out a distro. :)

Capt_Caveman 03-05-2005 01:32 AM

Actually it's been screwed up for awhile (pre-Novell) and is found in a number of distros (redhat, mandrake, suse, etc).


All times are GMT -5. The time now is 05:13 AM.