[NTLUG:Discuss] suspicious output from "last -d" command
Eric Waguespack
ewaguespack at gmail.com
Mon Oct 29 18:48:55 CDT 2007
what daemons do you have running? `lsof -i` ? `netstat -lntup`?
On 10/29/07, David Stanaway <david at stanaway.net> wrote:
>
> Some ftp daemons log to wtmp too.
>
> Cross reference against your FTP logs.
>
> Ed Leach wrote:
> > Hello,
> >
> > Below is output from a "last -d" command. In the man page for last it's
> > pretty clear that the -d option lists non-local logins. My machine is a
> > simple Ubuntu home system - no servers. I do occasionally use ssh to
> > backup to another local machine, but that wouldn't explain this output.
> > I have no idea what or who these IPs are!
> >
> > I didn't notice any suspicious activity on my machine other than this
> > output. I did a chkrootkit and it came up with nothing.
> >
> > After seeing this output, I have done a clean install of Gutsy since I
> > was a couple versions behind anyway.
> >
> > So . . . could anything explain this output other than getting broken into?
> >
> > Thanks,
> >
> > Ed
> >
> > -------------------------------
> >
> > user pts/0 50.232.7.0 Fri Oct 26 11:07 - 20:49 (09:42)
> > user pts/0 21.226.7.0 Fri Oct 26 08:19 - 11:06 (02:47)
> > user pts/0 62.92.8.0 Fri Oct 26 08:14 - 08:14 (00:00)
> > user :0 localhost Fri Oct 26 08:08 - 20:49 (12:40)
> > reboot system boot 40.123.8.0 Fri Oct 26 08:08 (12:40)
> > user pts/0 174.42.15.0 Thu Oct 25 14:16 - 20:20 (06:03)
> > user pts/0 21.193.4.0 Thu Oct 25 12:43 - 12:47 (00:03)
> > user :0 localhost Thu Oct 25 09:55 - 20:21 (10:25)
> > reboot system boot 118.143.5.0 Thu Oct 25 09:55 (10:25)
> > user pts/1 0-2.1-85.cust.bl Wed Oct 24 13:28 - 19:51 (06:23)
> > user pts/1 8.81.13.0 Wed Oct 24 13:25 - 13:27 (00:02)
> > user pts/1 107.68.4.0 Wed Oct 24 12:47 - 13:24 (00:37)
> > user pts/0 224.95.9.0 Tue Oct 23 11:48 - 13:25 (1+01:36)
> > user :0 localhost Tue Oct 23 11:24 - 19:51 (1+08:26)
> > reboot system boot 21.127.7.0 Tue Oct 23 11:24 (1+08:27)
> > user :0 localhost Mon Oct 22 08:51 - 20:01 (11:09)
> > reboot system boot c-75-65-2-0.hsd1 Mon Oct 22 08:51 (11:09)
> > user :0 localhost Fri Oct 19 08:26 - 12:19 (03:52)
> > reboot system boot 84.116.7.0 Fri Oct 19 08:26 (03:52)
> > user pts/1 reserved-multica Thu Oct 18 14:43 - 20:48 (06:05)
> > user pts/0 153.246.10.0 Thu Oct 18 14:19 - 20:48 (06:28)
> > user :0 localhost Thu Oct 18 14:06 - 20:48 (06:41)
> > reboot system boot 167.142.13.0 Thu Oct 18 14:06 (06:42)
> > user pts/0 0.sub-72-127-5.m Tue Oct 16 17:59 - 13:28 (19:29)
> > user :0 localhost Tue Oct 16 10:48 - 13:28 (1+02:40)
> > reboot system boot 178.62.7.0 Tue Oct 16 10:48 (1+02:40)
> > user pts/4 182.5.14.0 Mon Oct 15 17:01 - 20:03 (03:02)
> > user pts/1 122x215x1x0.ap12 Mon Oct 15 16:30 - 20:03 (03:33)
> > user pts/4 localhost Mon Oct 15 16:22 - 17:01 (00:38)
> > user pts/3 ALille-253-1-3-n Mon Oct 15 15:58 - 20:04 (04:05)
> > user pts/2 153.220.6.0 Mon Oct 15 15:39 - 20:03 (04:24)
> > user pts/1 176.239.11.0 Mon Oct 15 14:16 - 16:30 (02:14)
> > user pts/0 0.sub-72-110-14. Mon Oct 15 09:27 - 20:04 (10:36)
> > user :0 localhost Mon Oct 15 08:54 - 20:04 (11:09)
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list