Re: Xwindow "ghost"? - KDE

This is a discussion on Re: Xwindow "ghost"? - KDE ; Geoff wrote: > Larry I Smith wrote: >> mjt wrote: >> >>> (Larry I Smith ) scribbled: >>> >>>>> .... as we say in Texas, "He's got a big hole in his screen door." >>>>> >>>>> mtobler@stimpy:~> whois 220.154.236.183 >>>>> ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Re: Xwindow "ghost"?

  1. Re: Xwindow "ghost"?

    Geoff wrote:
    > Larry I Smith wrote:
    >> mjt wrote:
    >>
    >>> (Larry I Smith ) scribbled:
    >>>
    >>>>> .... as we say in Texas, "He's got a big hole in his screen door."
    >>>>>
    >>>>> mtobler@stimpy:~> whois 220.154.236.183
    >>>>> descr: Asia Pacific Network Information Center, Pty. Ltd.
    >>>
    >>>
    >>>> There's no network activity, and I'm behind 2 firewalls
    >>>> (one hardware and one software).
    >>>>
    >>>> Since this IP ALWAYS shows as the X IP for the currently
    >>>> logged on user, and moves from user to user as I log off
    >>>> then log on as a different user (via kdm), I'm thinking
    >>>> that it is some kind of pseudo IP used by either X or KDE.
    >>>>
    >>>> If I've been 'invaded', how do I tell, and what can I
    >>>> do about it?
    >>>
    >>> [snip]
    >>>
    >>>
    >>> http://www.chkrootkit.org/
    >>> http://www.rootkit.nl/
    >>>

    >>
    >> I ran both tools. Neither tool found anything.
    >>
    >> I'm stumped...
    >>
    >> Regards,
    >> Larry
    >>

    >
    > I get much the same thing here, though with a different ip. Haven't got
    > time now to work out what's going on and googling for the "last command"
    > is not very helpful! Logging on from a virtual terminal gives an ip of
    > 0.0.0.0
    >
    > Geoff


    It seems to be KDM causing the IP entry.
    I traced it backwards.

    First, run "last" to find the unexpected IP address that
    is logged on. Here's a snip of the output from "last -di":

    user1 :0 220.170.236.183 Thu Mar 17 13:24 still logged in

    Second, run "who" to get the PID associated with the session
    at user1:0. Here's a snip of the output from "who -H -a":

    NAME LINE TIME IDLE PID COMMENT
    user1 ? :0 Mar 17 13:24 ? 6604 (console)

    Third, run "ps" to get the process-tree. Here's a
    snip of the process-tree from "ps -ejH":

    PID PGID SID TTY TIME CMD
    1 0 0 ? 00:00:03 init

    6588 6573 4534 ? 00:00:00 kdm
    6602 6602 4534 ? 00:01:06 X
    6604 6573 4534 ? 00:00:00 kdm
    7383 7383 4534 ? 00:00:00 kde
    7418 7383 4534 ? 00:00:00 gpg-agent
    7419 7419 7419 ? 00:00:00 ssh-agent

    So, the 2nd instance of KDM holds the session belonging
    to 220.170.236.183.

    My conclusions are:

    Either KDM is putting bad data into /var/log/wtmp -or-
    'last' is interpreting the wtmp data incorrectly -or-
    KDM is do somehing very non-standard.

    Regards,
    Larry

    --
    Anti-spam address, change each 'X' to '.' to reply directly.

  2. Re: Xwindow "ghost"?

    Larry I Smith wrote:

    >
    > It seems to be KDM causing the IP entry.
    > I traced it backwards.
    >
    > First, run "last" to find the unexpected IP address that
    > is logged on. Here's a snip of the output from "last -di":
    >
    > user1 :0 220.170.236.183 Thu Mar 17 13:24 still logged in
    >
    > Second, run "who" to get the PID associated with the session
    > at user1:0. Here's a snip of the output from "who -H -a":
    >
    > NAME LINE TIME IDLE PID COMMENT
    > user1 ? :0 Mar 17 13:24 ? 6604 (console)
    >
    > Third, run "ps" to get the process-tree. Here's a
    > snip of the process-tree from "ps -ejH":
    >
    > PID PGID SID TTY TIME CMD
    > 1 0 0 ? 00:00:03 init
    >
    > 6588 6573 4534 ? 00:00:00 kdm
    > 6602 6602 4534 ? 00:01:06 X
    > 6604 6573 4534 ? 00:00:00 kdm
    > 7383 7383 4534 ? 00:00:00 kde
    > 7418 7383 4534 ? 00:00:00 gpg-agent
    > 7419 7419 7419 ? 00:00:00 ssh-agent
    >
    > So, the 2nd instance of KDM holds the session belonging
    > to 220.170.236.183.
    >
    > My conclusions are:
    >
    > Either KDM is putting bad data into /var/log/wtmp -or-
    > 'last' is interpreting the wtmp data incorrectly -or-
    > KDM is do somehing very non-standard.
    >
    > Regards,
    > Larry
    >


    Looks like your right, I managed to dig these up:

    https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
    https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
    http://bugs.mandrakelinux.com/query.php?bug=532

    It's happening on Debian sid here. My mystery ip is 112.63.253.183
    $ whois 112.63.253.183
    Unknown AS number or IP network. Please upgrade this program.

    Geoff

  3. Re: Xwindow "ghost"?

    Larry I Smith wrote:

    > It seems to be KDM causing the IP entry.
    > I traced it backwards.
    >


    A pity for your theory that the bugzilla reports are about this happening
    when gdm is the login manager which would suggest that it is a more
    fundamental problem in the particular system and not what login manager or
    desktop is used.
    I have tried FC3, Mandrake 10.1 and Suse9.1 and none have this problem. It
    would appear to be some sort of misconfiguration


  4. Re: Xwindow "ghost"?

    Andrew Kar wrote:
    > Larry I Smith wrote:
    >
    >
    >>It seems to be KDM causing the IP entry.
    >>I traced it backwards.
    >>

    >
    >
    > A pity for your theory that the bugzilla reports are about this happening
    > when gdm is the login manager which would suggest that it is a more
    > fundamental problem in the particular system and not what login manager or
    > desktop is used.
    > I have tried FC3, Mandrake 10.1 and Suse9.1 and none have this problem. It
    > would appear to be some sort of misconfiguration
    >


    I get thise strange IP's on my small-endian machine, while not the big-endian,
    same setup on both.


    //Aho

  5. Re: Xwindow "ghost"?

    J.O. Aho wrote:
    > Andrew Kar wrote:
    >> Larry I Smith wrote:
    >>
    >>
    >>> It seems to be KDM causing the IP entry.
    >>> I traced it backwards.
    >>>

    >>
    >>
    >> A pity for your theory that the bugzilla reports are about this happening
    >> when gdm is the login manager which would suggest that it is a more
    >> fundamental problem in the particular system and not what login
    >> manager or
    >> desktop is used.
    >> I have tried FC3, Mandrake 10.1 and Suse9.1 and none have this
    >> problem. It
    >> would appear to be some sort of misconfiguration
    >>

    >
    > I get thise strange IP's on my small-endian machine, while not the
    > big-endian, same setup on both.
    >
    >
    > //Aho


    Although the Bugzilla reports concern GDM, it's also occuring
    on my KDE systems (which use KDM).
    Since it affects both GDM and KDM based systems, it would seem
    to be related to X -or- perhaps GDM and KDM were derived from
    a common code-base (in the past), causing both to exhibit
    the problem.

    At least it's nice to know the systems haven't actually been
    compromised.

    Regards,
    Larry

    --
    Anti-spam address, change each 'X' to '.' to reply directly.

  6. Re: Xwindow "ghost"?

    Larry I Smith wrote:

    > Although the Bugzilla reports concern GDM, it's also occuring
    > on my KDE systems (which use KDM).
    > Since it affects both GDM and KDM based systems, it would seem
    > to be related to X -or- perhaps GDM and KDM were derived from
    > a common code-base (in the past), causing both to exhibit
    > the problem.


    Yes, something does affect this, I would more guess the fault is somewhere
    within the X, as as far as I know both KDM and GDM don't have any common code
    base. And it seems for me as if the strange ipå-numbers don't appear untill
    someone has logged in, at which time both KDM and GDM has stopped to interfear
    with the system. This is worth a good check up, to see from where the ip's are
    generated and get it fixed, IMHO it's a big "security" problem, what if you
    get compromised by one of the ghosted ip's or a similare and you just ignore
    those entrys as you think it's just the ghost ip's.


    //Aho

+ Reply to Thread