LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-04-2005, 05:20 PM   #1
b_s
LQ Newbie
 
Registered: Aug 2002
Location: California
Distribution: Mandrake, SuSe 9.2
Posts: 25

Rep: Reputation: 15
Talking is last -i showing remote user logged in?


I just installed Suse 9.2, and it appears that I have a remote user logged in. Below is a sample from when I run last -i. When I checked the logs it looked as though someone was logging into or trying to log in using sshd, I removed that package. But the user is still there, logged into my username.
Is this something that Suse does? Am I reading the las command correctly?
The remote IP shows for any users that log into X. I am also behind a router that is not forwarding any ports. Any advice or help would be much appreciated http://images.linuxquestions.org/que...ons/icon10.gif

h_ pts/1 0.0.0.0 Fri Mar 4 10:33 still logged in
h_ pts/0 0.0.0.0 Fri Mar 4 10:30 still logged in
h_ :0 220.218.236.183 Fri Mar 4 10:30 still logged in
h_ pts/1 0.0.0.0 Fri Mar 4 10:05 - 10:06 (00:00)
h_ pts/0 0.0.0.0 Fri Mar 4 02:46 - 10:29 (07:43)
h_ :0 220.218.236.183 Fri Mar 4 02:45 - 10:29 (07:43)
h_ pts/2 0.0.0.0 Fri Mar 4 02:22 - 02:25 (00:02)
h_ pts/1 0.0.0.0 Fri Mar 4 02:19 - 02:31 (00:12)
h_ pts/0 0.0.0.0 Fri Mar 4 02:19 - 02:46 (00:26)
h_ :0 220.218.236.183 Fri Mar 4 02:19 - 02:37 (00:18)
root pts/1 0.0.0.0 Fri Mar 4 02:04 - 02:14 (00:09)
root pts/0 0.0.0.0 Fri Mar 4 02:04 - 02:18 (00:14)
root :0 220.218.236.183 Fri Mar 4 02:04 - 02:18 (00:14)

Last edited by b_s; 03-04-2005 at 05:23 PM.
 
Old 03-04-2005, 05:35 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Is that IP part of your local network? (Some have world routable IPs). Also, have you checked those times against your own activity?
 
Old 03-04-2005, 05:42 PM   #3
Dogit
Member
 
Registered: Feb 2005
Distribution: Suse 9.0,9.2 Pro
Posts: 67

Rep: Reputation: 15
Hello,b_s

Not sure if you like have a look here

http://www.linuxquestions.org/questi...hreadid=215431

@ Matir

Sorry did not see you there

Great day

Last edited by Dogit; 03-04-2005 at 05:47 PM.
 
Old 03-04-2005, 07:31 PM   #4
b_s
LQ Newbie
 
Registered: Aug 2002
Location: California
Distribution: Mandrake, SuSe 9.2
Posts: 25

Original Poster
Rep: Reputation: 15
it looks like that IP is logged in right when I log a user into X. I had only had Suse 9.2 installed for a day when I noticed this. I did see that ssh thread, if it guessed my password its become much better at getting in :-) Thanks for your replies, any other ideas??
 
Old 03-04-2005, 11:07 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
This is a known bug:

https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
http://bugs.mandrakelinux.com/query.php?bug=532

I personally submitted it to SuSE, but apparently they have better things to do like figure out how many shades of green they can make their website rather than respond to bug reports.

FWIW, the IP isn't quite random but has to do with kernel version (it's used as a place holder for the remote host in the utmp logging code).
 
Old 03-04-2005, 11:42 PM   #6
b_s
LQ Newbie
 
Registered: Aug 2002
Location: California
Distribution: Mandrake, SuSe 9.2
Posts: 25

Original Poster
Rep: Reputation: 15
THANK YOU Capt_Caveman!!!
I feel much better knowing that, if you do a whois on that IP it actually belongs to some hospital in china ... hopefully this bug will be resolved soon, doesnt look like its a priority to them though
 
Old 03-04-2005, 11:57 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by b_s
THANK YOU Capt_Caveman!!!
I feel much better knowing that, if you do a whois on that IP it actually belongs to some hospital in china ... hopefully this bug will be resolved soon, doesnt look like its a priority to them though
lol. I remember the first time I saw it in Redhat, the IP resolved to a US Defense contractor (Northrop Grumman I believe), so there are probably tech support people all over the globe getting hate mail from people mistakenly thinking that they've been hacking them . I know it's been resolved in Fedora Core 3, so hopefully newer releases from other distros should have it fixed as well.
 
Old 03-05-2005, 12:26 AM   #8
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Wow. Somebody's corrupting the utmp structures. How that one came out from a distro like SuSE is beyond me. I guess that's what you get when Novell buys out a distro.
 
Old 03-05-2005, 01:32 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Actually it's been screwed up for awhile (pre-Novell) and is found in a number of distros (redhat, mandrake, suse, etc).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
running X applications on remote machine when logged in via ssh servnov Linux - General 1 08-15-2005 09:53 PM
Multi-user and 3D sharing, 3D only works for the first logged in user foxy123 SUSE / openSUSE 0 02-20-2005 05:31 AM
Remote launch GUI from Daemon with nobody logged in? Merlin53 Linux - General 1 08-12-2004 10:03 PM
mozilla works fine when logged in as a user but crashes when logged in as root jimi Linux - General 6 04-02-2003 09:34 PM
Remote message: User: already logged onto system 1 time(s). jamaso Linux - General 1 11-08-2002 06:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration