I am very confused??? When I do a "last -i" on my ftp server I get this:

ftpuser ftpd6651 196.151.254.191 Fri Sep 3 10:46 - 11:01 (00:15)
ftpuser ftpd6631 196.161.254.191 Fri Sep 3 10:45 - 10:45 (00:00)
ftpuser ftpd5494 68.154.254.191 Fri Sep 3 10:03 - 10:03 (00:00)
ftpuser ftpd5493 196.154.254.191 Fri Sep 3 10:02 - 10:18 (00:15)
ftpuser ftpd5398 68.170.254.191 Fri Sep 3 09:59 - 09:59 (00:00)
ftpuser ftpd5338 68.168.254.191 Fri Sep 3 09:57 - 09:57 (00:00)
ftpuser ftpd5318 68.178.254.191 Fri Sep 3 09:55 - 09:56 (00:00)

The ip's in the third column are not even close to anything I use... I know, it looks like I have some unwanted guests but it gets weird. When I do just a "last" I get this output:

ftpuser ftpd6651 ws.mydomain.com Fri Sep 3 10:46 - 11:01 (00:15)
ftpuser ftpd6631 ws.mydomain.com Fri Sep 3 10:45 - 10:45 (00:00)
ftpuser ftpd5494 ws.mydomain.com Fri Sep 3 10:03 - 10:03 (00:00)
ftpuser ftpd5493 ws.mydomain.com Fri Sep 3 10:02 - 10:18 (00:15)
ftpuser ftpd5398 ws.mydomain.com Fri Sep 3 09:59 - 09:59 (00:00)
ftpuser ftpd5338 ws.mydomain.com Fri Sep 3 09:57 - 09:57 (00:00)
ftpuser ftpd5318 ws.mydomain.com Fri Sep 3 09:55 - 09:56 (00:00)

The domains in the third column are definately mine. Plus I know that the two top login entries are mine cause that is when I was testing them. What would cause the "last" command to record an ip that isn't mine. I ran a chkrootkit program and it did not find any things that looked strange (no alteration of the wtmp file). Also, the passwords I use for ftp are a combination of 14 characters containing numbers, letters and special characters.

What version of Enterprise are you using?

on last -i i get

"my user name" pts/3 0.0.0.0

while last gets the whole domain name right

Just a thought


196.151.254.191 in addr, arpa becomes 191.254.151, etc

Then all your IPs start with

191.254

I have a Dial T-online customer who is in 217.

Pretty annoying.

so a 191.254. might be possible.

Might be complete bollocks but hey I ' m a Doctor

What I essentially mean is that that wtmp loggin is fecked up and maybe records reads the IP the wrong way.

http://arul.telenet-systems.com/cgi-...68.154.254.191
NetRange: 68.152.0.0 - 68.159.255.255

Nah mate

Strange indeed

Still they all end in 254.191

And I believe the answer, whatever it might be, is in that pattern.

Capt_Caveman,

I use RHEL 2.1 on that box.

DrNeal,

Thank you, I didn't even realize that they were all ending in .254.191.

I just noticed similiar behavior on my RH 8.0 systems. If I log into gnome from the PC itself 'last -i' records the address to an ip that is not even close to what I am using.

Just to be sure I tried on a few more RH 8.0 boxes and the two others both showed the same odd IP address the first one was using each time I logged in and out.

This is known bug:

http://bugzilla.redhat.com/bugzilla/...g.cgi?id=82540
https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659

along with the ftp weirdness (prob same or related bug):
http://bugzilla.redhat.com/bugzilla/...g.cgi?id=32417

Those reported bugs seem to be exactly what I am experiancing. I like at the bottom of one of the threads how it says:

"This behaviour could lead to the wrong conclusion that the system was invaded or
hacked by an unauthorized perpetrator."

YOU THINK!!!!

lol thanks for the heart attack.

"heart attack", yeah that was about my reaction and immediately went to the firewall to block the IP. Then I noticed the login/logout time was the same as when I was on the console and decided to do the same test from a few more stations to realize it was just a bug.

What's really bad about it is that the IP addresses displayed aren't completely random. One that I've seen resolves to a US defense contractor (Northrop-Grumman). So seeing that Northrop-Grumman has cracked your box can be quite disturbing as well Though the .254.191 portion of the address is indeed intriguing.

have you tried reverse lookups on those IPs?

When I looked up the ips, it says that they are comming from the U.S