foreign ip in /var/log/wtmp - Security

This is a discussion on foreign ip in /var/log/wtmp - Security ; "Moe Trin" wrote in message news:slrnf41lis.skf.ibuprofin@compton.phx.az.us... > On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article > , comolik wrote: > >>On May 7, 9:48 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote: > >>> None of these three are likely ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 26 of 26

Thread: foreign ip in /var/log/wtmp

  1. Re: foreign ip in /var/log/wtmp

    "Moe Trin" wrote in message
    news:slrnf41lis.skf.ibuprofin@compton.phx.az.us...
    > On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    > <1178614339.434155.211400@q75g2000hsh.googlegroups. com>, comolik wrote:
    >
    >>On May 7, 9:48 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    >
    >>> None of these three are likely to be seen on the Internet.

    >>
    >>That's my point. I don't believe that these are really ips of remote
    >>logins. but still it would be interesting to know what else that may be.

    >
    > I did a simplistic search through google for others reporting the problem
    > and came up empty - perhaps a poor choice of keywords, but it's hard to
    > say. The addresses you reported (39.6.1.0, 181.0.1.0, 79.50.8.0) are
    > suspicious in that the last digit is zero - chance or probability doesn't
    > support three in a row like that. The former Class E address that the O/P
    > reported (248.80.3.64) is also interesting. What bothers me is the
    > original posting reported this on multiple systems, but with different
    > behavior - always the same on one (or more - posting not clear) box,
    > while another sees "a lot of different ip's."
    >
    > I duuno.
    >
    > Old guy


    This has been a 'feature' for as long as I can remember - I had the same
    way back in time when using kernel 1.2.8 when I noted that all shutdowns
    came from some weird IP [0.39.1.0 I think].

    I do note that the man page for last specifically says (something like):
    " -d For non-local logins, Linux stores not only the hostname but also
    the IP number of the remote host"
    which could be taken to say that for local logins the IP field may be
    undefined.

    I cannot be bothered to trawl through the source, I just ensure that only
    a very few addresses get access to my ssh port.

    Steve



  2. Re: foreign ip in /var/log/wtmp

    ibuprofin@painkiller.example.tld (Moe Trin) writes:

    >On Tue, 08 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    >, Unruh wrote:


    >> Of course you do not give enough information that anyone could help you.
    >>What foreign IP?


    >Maybe if you used a competant newsreader that can thread articles
    >together, you might see that the addresses have been posted four times in
    >the past week. But then, who knows, you MIGHT even learn how to trim
    >posts, not top-post, etc..


    My point was that people do NOT read through back posts to figure out what
    the topic is, that when asking for help one should try hard to make each
    post self contained if you are asking for help. Otherwise people look at
    the post and pass it by since they have no idea from the post what the
    problem is. I happen to be someone who complains when something like that
    happens because I have found that things do not get fixed otherwise.
    (Obviously from this post you share that attitude.)

    Top posting is fine in some circumstances. The attitude, that one should
    always bottom post is idiotic in many situations-- I have seen far too many
    posts with a 40 line repost with a one line answer, which is off the mark
    anyway. I would rather find out what the poster thinks is new on a topic up
    front. One of the wonderful things about news posters is that they stick
    those little > symbols in front of lines so you can figure out the order of
    the post without having to resort to spatial ordering.

    Trimming I have less of a defense for, and will accept your chastisement,
    except I would far rather see a post with less trimmed off so I could
    figure out from the post itself what the post is about. There is another
    thread pointing out yestrday's Dilbert cartoon. That is what excessive
    trimming does.


    >Bill, you _really_ are acting like a luser


    > Old guy


  3. Re: foreign ip in /var/log/wtmp

    "Steve Purdy" writes:

    >"Moe Trin" wrote in message
    >news:slrnf41lis.skf.ibuprofin@compton.phx.az.us...
    >> On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    >> <1178614339.434155.211400@q75g2000hsh.googlegroups. com>, comolik wrote:
    >>
    >>>On May 7, 9:48 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    >>
    >>>> None of these three are likely to be seen on the Internet.
    >>>
    >>>That's my point. I don't believe that these are really ips of remote
    >>>logins. but still it would be interesting to know what else that may be.

    >>
    >> I did a simplistic search through google for others reporting the problem
    >> and came up empty - perhaps a poor choice of keywords, but it's hard to
    >> say. The addresses you reported (39.6.1.0, 181.0.1.0, 79.50.8.0) are
    >> suspicious in that the last digit is zero - chance or probability doesn't
    >> support three in a row like that. The former Class E address that the O/P
    >> reported (248.80.3.64) is also interesting. What bothers me is the
    >> original posting reported this on multiple systems, but with different
    >> behavior - always the same on one (or more - posting not clear) box,
    >> while another sees "a lot of different ip's."
    >>
    >> I duuno.
    >>
    >> Old guy


    >This has been a 'feature' for as long as I can remember - I had the same
    >way back in time when using kernel 1.2.8 when I noted that all shutdowns
    >came from some weird IP [0.39.1.0 I think].


    >I do note that the man page for last specifically says (something like):
    >" -d For non-local logins, Linux stores not only the hostname but also
    >the IP number of the remote host"
    >which could be taken to say that for local logins the IP field may be
    >undefined.


    >I cannot be bothered to trawl through the source, I just ensure that only
    >a very few addresses get access to my ssh port.


    I have never seen that happen, and I have 10 machines, with users logging
    in via ssh from all over the world and locally as well.

    Note that I do find that for some things ( eg dialout) I can get an entry
    like
    dialout ttyS0 /bin/bash /disk9 Mon May 7 18:07 - 18:08 (00:00)

    Ie, the IP is not an IP at all.


  4. Re: foreign ip in /var/log/wtmp

    Hey old guy,

    you are right, my writing was just poor.

    > My understanding is that should be
    > alias net-pf-10 off



    logins via ssh: "right" ip
    login via tty: 0.0.0.0 (i opened a console in runlevel 5
    with ctrl+alt+F2)
    login via kdm (GUI): root :0 220.202.235.183 (this is an excerpt
    from wtmp)
    starting xterm: root pts/7 0.0.0.0 (another excerpt)

    init 3 and then login on a tty:
    root tty1 0.0.0.0

    Bernd

    > But you also mention this is in a GUI login - what happens if you change
    > run-levels to "3", which should give a text login - you start X with
    > the 'runx' or 'startx' command after logging in if needed - but what
    > does 'last' show from that text login?
    >
    > Old guy




  5. Re: foreign ip in /var/log/wtmp

    On Tue, 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <4640e468$0$640$5a6aecb4@news.aaisp.net.uk>, Steve Purdy wrote:

    >"Moe Trin" wrote


    >> comolik wrote:


    >>>That's my point. I don't believe that these are really ips of remote
    >>>logins. but still it would be interesting to know what else that may be.

    >>
    >> I did a simplistic search through google for others reporting the problem
    >> and came up empty - perhaps a poor choice of keywords, but it's hard to
    >> say.


    >This has been a 'feature' for as long as I can remember - I had the same
    >way back in time when using kernel 1.2.8 when I noted that all shutdowns
    >came from some weird IP [0.39.1.0 I think].


    That very vaguely rings a bell, but looking at a couple of ancient systems
    (stock RH 2.1 and 3.0.3 running 1.2.13, RH4.2 running 2.0.33, Slack 3.4
    running a 2.0.32), I don't see this behavior, although none of these are
    using the GUI login. It looks like only RH4.2 is running PAM - don't
    know if that's a factor or not. (Later: see my other response to Bernd
    in this thread - looks like a problm with KDM.)

    >I do note that the man page for last specifically says (something like):
    >" -d For non-local logins, Linux stores not only the hostname but also
    >the IP number of the remote host"
    >which could be taken to say that for local logins the IP field may be
    >undefined.


    Looking at the IPs posted by Bernd (the O/P) and "comolik" up thread:

    who reported in hex
    Bernd: 248.80.3.64 F8 50 03 40
    Bernd: 220.202.235.183 DC CA EB B7
    comolik: 39.6.1.0 27 06 01 00
    comolik: 181.0.1.0 B5 00 01 00
    comolik: 79.50.8.0 4F 32 08 00

    I was hoping to see something that resembles ASCII there, but obviously
    no cigar.

    >I cannot be bothered to trawl through the source


    My C skills are "emergency only"

    >I just ensure that only a very few addresses get access to my ssh port.


    Same here, plus the fact that I moved the server to a port out in na-na-land
    so that zombies and skript kiddiez are less likely to be banging on it.

    Old guy

  6. Re: foreign ip in /var/log/wtmp

    On 9 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178732663.389381.144300@o5g2000hsb.googlegroups.c om>, Bernd wrote:

    >you are right, my writing was just poor.


    OK - I just wanted to be sure ;-)

    >logins via ssh: "right" ip


    OK ssh logs via one process

    >login via tty: 0.0.0.0 (i opened a console in runlevel 5
    >with ctrl+alt+F2)


    That's a separate logging process - and _doesn't_ involve the GUI
    display manager.

    >login via kdm (GUI): root :0 220.202.235.183 (this is an excerpt
    >from wtmp)


    OK - it's the stupid KDE Display manager that's the problem. That
    clears up a few misconceptions.

    >starting xterm: root pts/7 0.0.0.0 (another excerpt)


    OK - I'm not an X or KDE expert, but I think I see where the problem
    might be. In a non-GUI login, you load/run the kernel, then run
    init. /sbin/init runs stuff according to the /etc/inittab, and it
    runs something like

    # Run gettys in standard runlevels
    1:12345:respawn:/sbin/mingetty tty1
    2:2345:respawn:/sbin/mingetty tty2
    3:2345:respawn:/sbin/mingetty tty3

    You may have six to twelve lines like this - and these cause the
    kernel to run mingetty at the virtual terminal. Mingetty execs
    /bin/login to log in the users - making entries in wtmp, reading
    the password file to see what shell to use, and where to drop the
    user so that something useful can be done. The shell reads it's
    startup scripts (bash looking at /etc/profile, ~/bash_profile, and
    so on) and "Presto" - you've got a shell prompt as the UNIX Ghods
    intended ;-)

    However, people find the command line difficult, and want the GUI. On
    this system (not running a configured GUI, but this is what was set up
    eons ago) there is a line

    # Run xdm in runlevel 5
    x:5:respawn:/usr/bin/X11/xdm -nodaemon

    In your case, you are calling KDM. This mess replaces the mingetty,
    /bin/login, shell startup scripts with a unified program all on it's
    own. /bin/login is the file that writes to /var/log/wtmp in a non-GUI
    login, and something _else_ does this in a GUI - and that's apparently
    where the problem lies. (Note: This replacement program ignores the
    shell startup scripts, and instead reads from .xinitrc, and .xsession
    which drives people nuts when trying to alter their shell operation.)

    Now, what are we going to _do_ about the problem. Sorry, I don't
    know - you might get the impression that I'm a command line
    dinosaur, and don't even have Gnome or KDE installed. I'd suggest
    filing a bug report with SuSE, or with KDE and see if they can sort
    things out. There _might_ be some clues in the 'kdm' man page, but
    that's not my area of expertise. Looking at the .newsrc list on
    my news server, I see

    comp.windows.x.kde
    de.alt.comp.kde
    de.comp.os.unix.apps.kde
    gmane.comp.kde.devel.bugs

    The first one is an official Big Eight group, described as

    [compton ~]$ zgrep kde big.8.list.04.15.07.gz
    comp.windows.x.kde The K Desktop Environment.
    [compton ~]$

    For comolik, you might also look at 'linux.debian.maint.kde' which is
    a mirror of a Debian mailing list.

    Wish I could be more helpful.

    Old guy

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2