KDM Uses Bogus Remote-Logon IP's??? - KDE

This is a discussion on KDM Uses Bogus Remote-Logon IP's??? - KDE ; I thought I'd been hacked... But it appears to be a problem with KDM putting bogus remote login info in /var/log/wtmp. Other folks have reported the same problem. The only thing that varies is the IP address, but they all ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: KDM Uses Bogus Remote-Logon IP's???

  1. KDM Uses Bogus Remote-Logon IP's???

    I thought I'd been hacked... But it appears to be a
    problem with KDM putting bogus remote login info in
    /var/log/wtmp.

    Other folks have reported the same problem.
    The only thing that varies is the IP address,
    but they all seem to start with 220.

    'last -di' always shows a logged in connection
    for IP 220.170.236.183 whenever I have a KDE desktop running.
    If I log out, then login as a different user, the 220.170.236.183
    then shows up as the X session under the newly logged on
    user - and no longer under the other user (e.g. the 220.170.236.183
    'connection' moves from user to user depending on which user is
    running a KDE session.

    I would expect the X session to show up as a local connection
    (127...) rather than the 220... IP, or even as my eth0 IP
    192.168.1.100, or as 0.0.0.0.

    There's no network activity, and I'm behind 2 firewalls
    (one hardware and one software).

    I've checked for a 'rootkit'. Both 'rkhunter' and 'chkrootkit'
    say my system is clean.

    The problem IP 'logon' exists even with the network disabled.
    That should be impossible. Here's what I did:

    1) shutdown linux and power-off the pc
    3) turn off the DSL modem
    4) power-on pc
    5) waited for the 'kdm' GUI logon screen
    6) started a terminal as root (ctrl-alt-f2)
    7) from the terminal 'last -di' shows NO IP connections
    8) switch back to kdm screen and logon as 'user1'
    9) switch back to the terminal and run 'last -di'
    10) 'last -di' now shows a 'still logged in' entry
    for 220.170.236.183. here's a snip of the output:

    user1 pts/1 0.0.0.0 Thu Mar 17 12:18 still logged in
    user1 pts/0 0.0.0.0 Thu Mar 17 12:07 still logged in
    user1 :0 220.170.236.183 Thu Mar 17 12:07 still logged in

    The third line of the 'last -di' output should not be there;
    the DSL modem is turned off and there are no other pc's on my
    small (home) network.

    I traced it backwards, and it seems to be KDM causing the IP entry.

    First, run "last -di" to find the unexpected IP address that
    is logged on. Here's a snip of the output from "last -di":

    user1 :0 220.170.236.183 Thu Mar 17 13:24 still logged in

    Second, run "who" to get the PID associated with the session
    at user1:0. Here's a snip of the output from "who -H -a":

    NAME LINE TIME IDLE PID COMMENT
    user1 ? :0 Mar 17 13:24 ? 6604 (console)

    Third, run "ps" to get the process-tree. Here's a
    snip of the process-tree from "ps -ejH":

    PID PGID SID TTY TIME CMD
    1 0 0 ? 00:00:03 init

    6588 6573 4534 ? 00:00:00 kdm
    6602 6602 4534 ? 00:01:06 X
    6604 6573 4534 ? 00:00:00 kdm
    7383 7383 4534 ? 00:00:00 kde
    7418 7383 4534 ? 00:00:00 gpg-agent
    7419 7419 7419 ? 00:00:00 ssh-agent

    So, the 2nd instance of KDM (PID 6604) holds the session
    belonging to 220.170.236.183.

    My conclusions are, either:

    1) KDM is putting bad data into /var/log/wtmp -or-
    2) 'last' is interpreting the wtmp data incorrectly -or-
    3) KDM is do somehing very non-standard.


    Does anyone know what's going on here?

    Why should KDM use such a bogus IP?
    An entry like that makes it hard to tell if you've hacked.

    Is this a KDM issue (other folks report a similar problem),
    or have I really been 'hacked'?

    Thanks & Regards,
    Larry

    --
    Anti-spam address, change each 'X' to '.' to reply directly.

  2. Re: KDM Uses Bogus Remote-Logon IP's???

    Larry I Smith wrote:

    > I thought I'd been hacked... But it appears to be a
    > problem with KDM putting bogus remote login info in
    > /var/log/wtmp.
    >
    > Other folks have reported the same problem.
    > The only thing that varies is the IP address,
    > but they all seem to start with 220.
    >
    > 'last -di' always shows a logged in connection
    > for IP 220.170.236.183 whenever I have a KDE desktop running.
    > If I log out, then login as a different user, the 220.170.236.183
    > then shows up as the X session under the newly logged on
    > user - and no longer under the other user (e.g. the 220.170.236.183
    > 'connection' moves from user to user depending on which user is
    > running a KDE session.


    My system does not show this issue. No bogus logins, all what I would
    expect.

  3. Re: KDM Uses Bogus Remote-Logon IP's???

    matt_left_coast wrote:
    > Larry I Smith wrote:
    >
    >>I thought I'd been hacked... But it appears to be a
    >>problem with KDM putting bogus remote login info in
    >>/var/log/wtmp.
    >>
    >>Other folks have reported the same problem.
    >>The only thing that varies is the IP address,
    >>but they all seem to start with 220.
    >>
    >>'last -di' always shows a logged in connection
    >>for IP 220.170.236.183 whenever I have a KDE desktop running.
    >>If I log out, then login as a different user, the 220.170.236.183
    >>then shows up as the X session under the newly logged on
    >>user - and no longer under the other user (e.g. the 220.170.236.183
    >>'connection' moves from user to user depending on which user is
    >>running a KDE session.

    >
    > My system does not show this issue. No bogus logins, all what I would
    > expect.


    Well, it appears to be a known bug in Redhat, Mandrake, Debian sid,
    and now SuSE.

    Here's Geoff's reply copied from the previous thread titled
    "Re: Xwindow ghost":



    Looks like your (sic) right, I managed to dig these up:

    https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
    https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
    http://bugs.mandrakelinux.com/query.php?bug=532

    It's happening on Debian sid here. My mystery ip is 112.63.253.183
    $ whois 112.63.253.183
    Unknown AS number or IP network. Please upgrade this program.

    Geoff



    I hope it gets fixed, since it leads one to believe the
    system has been compromised. Sadly, it's been in Bugzilla
    since at least January 2003...

    Regards,
    Larry

    --
    Anti-spam address, change each 'X' to '.' to reply directly.

  4. Re: KDM Uses Bogus Remote-Logon IP's???

    Larry I Smith wrote:

    > s this a KDM issue (other folks report a similar problem),
    > or have I really been 'hacked'?


    Since you read the "ghost" thread you know very well that it is not caused
    by KDM as it happens to people that are using GDM, XDM or KDM which
    suggests that either those people have some misconfiguration in X or their
    network authority/ security files.
    As to whether you have been hacked or not I dont know. I would watch all
    outgoing connections when I am online because I do know that some trojans
    on Windows tha have exhibited similiar behaviour with changing non-existing
    IP's.

    andrew


  5. Re: KDM Uses Bogus Remote-Logon IP's???

    Andrew Kar wrote:
    > Larry I Smith wrote:
    >
    >>s this a KDM issue (other folks report a similar problem),
    >>or have I really been 'hacked'?

    >
    > Since you read the "ghost" thread you know very well that it is not caused
    > by KDM as it happens to people that are using GDM, XDM or KDM which
    > suggests that either those people have some misconfiguration in X or their
    > network authority/ security files.
    > As to whether you have been hacked or not I dont know. I would watch all
    > outgoing connections when I am online because I do know that some trojans
    > on Windows tha have exhibited similiar behaviour with changing non-existing
    > IP's.
    >
    > andrew
    >


    Yes, the bugzilla report is quite old.
    The problem appears to be X related.

    Regards,
    Larry

    --
    Anti-spam address, change each 'X' to '.' to reply directly.

+ Reply to Thread