foreign ip in /var/log/wtmp - Security

This is a discussion on foreign ip in /var/log/wtmp - Security ; hello, i realized foreign ip's in /var/log/wtmp, using last -i. For example: mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged in dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36 (00:29) dietrich :0 248.80.3.64 Tue Apr 24 13:05 - ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 26

Thread: foreign ip in /var/log/wtmp

  1. foreign ip in /var/log/wtmp

    hello,

    i realized foreign ip's in /var/log/wtmp, using last -i.
    For example:
    mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged
    in
    dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36
    (00:29)
    dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06
    (00:00)

    another machine:
    anhthu :0 220.202.235.183 Thu May 3 10:43 still logged
    in
    anhthu pts/0 0.0.0.0 Wed May 2 15:58 - 15:58
    (00:00)
    anhthu :0 220.202.235.183 Wed May 2 15:58 - 15:58
    (00:00)

    These logins happened directly in front of the machine.

    I realized that on different machines using different SuSE-versions,
    from 9.1 to 9.3.
    One of these machines is just a test enviroment which does not have
    any connection from the outside.
    One some machines it is always the same ip, on another a lot of
    different ip's.
    The foreign always appears only while doing an x-login (xdm or kdm).
    Login's via ssh are always tracked with the right ip.

    First i thought that maybe the X-Server is causing that. But we have
    different versions of X running, even using xfree and xorg. I checked
    the md5-sums of the packages, they are o.k.
    I posted this problem already in a german mailinglist, but did not get
    a sufficient answer. But some people there experienced the same
    problem.
    I don't think that i'm hacked, but i liked very much to know from
    where these foreign ip's come.
    Thank you for every hint.
    Bernd


  2. Re: foreign ip in /var/log/wtmp

    On 3 May 2007 02:05:55 -0700, Bernd wrote:
    > hello,
    >
    > i realized foreign ip's in /var/log/wtmp, using last -i.
    > For example:
    > mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged in
    > dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36 (00:29)
    > dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06 (00:00)
    >
    > another machine:
    > anhthu :0 220.202.235.183 Thu May 3 10:43 still logged in
    > anhthu pts/0 0.0.0.0 Wed May 2 15:58 - 15:58 (00:00)
    > anhthu :0 220.202.235.183 Wed May 2 15:58 - 15:58 (00:00)
    >
    > These logins happened directly in front of the machine.


    "Directly in front of the machine" . . . What does that
    mean? How do you know?

    > I realized that on different machines using different SuSE-versions,
    > from 9.1 to 9.3.
    > One of these machines is just a test enviroment which does not have
    > any connection from the outside.


    How would a machine with no connection to the outside know of
    the existence of an IP address like 220.202.235.183 ?

    > One some machines it is always the same ip, on another a lot of
    > different ip's.
    > The foreign always appears only while doing an x-login (xdm or kdm).
    > Login's via ssh are always tracked with the right ip.
    >
    > First i thought that maybe the X-Server is causing that. But we have
    > different versions of X running, even using xfree and xorg. I checked
    > the md5-sums of the packages, they are o.k.
    > I posted this problem already in a german mailinglist, but did not get
    > a sufficient answer. But some people there experienced the same
    > problem.
    > I don't think that i'm hacked, but i liked very much to know from
    > where these foreign ip's come.


    Are "mayer" and "dietrich" and "anhthu" real, authorized users' names?
    Can you ask them (without using the compromised computer's email) whether
    they're logged in?

    Do you know that you can ask dnsstuff.com for information about IP
    addresses? It appears that 220.202.235.183 belongs to someone in
    China -- not a good omen for you.

    I am not so expert as many on this group, but unless Mayer and
    Dietrich and Anhthu can tell you why they appear to be coming from
    unexpected places, I think you've been compromised.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  3. Re: foreign ip in /var/log/wtmp

    hello Peter,

    >
    > "Directly in front of the machine" . . . What does that
    > mean? How do you know?

    That means using the keyboard and mouse which are attached to these
    machines.
    I know that because i did it myself serveral times.
    >


    >
    > How would a machine with no connection to the outside know of
    > the existence of an IP address like 220.202.235.183 ?

    That's the question i'm asking here
    >


    > Are "mayer" and "dietrich" and "anhthu" real, authorized users' names?

    Yes, they are.
    > Can you ask them (without using the compromised computer's email) whether
    > they're logged in?

    I can and i did, they are sitting beneath me. The entries shown by
    last -i matches exactly to their logins. But only logins using X.
    When they login via ssh, i see right ip's (from our network, matching
    to the right hosts).
    >
    > Do you know that you can ask dnsstuff.com for information about IP
    > addresses? It appears that 220.202.235.183 belongs to someone in
    > China -- not a good omen for you.

    I know that, i did with whois on the shell.
    >
    > I am not so expert as many on this group, but unless Mayer and
    > Dietrich and Anhthu can tell you why they appear to be coming from
    > unexpected places, I think you've been compromised.

    I don't think so (although i don't know from where these ip's come
    from).
    I tested netstat -anp often, and don't see any connection to these
    ip's.
    I ran tcpdump during the logins, and no packets go or come from that
    ip.
    I also DISCONNECTED the network cable on one machine, logged on
    directly, and saw afterwards again the foreign (WITHOUT A NETWOTK
    CABLE !)
    So i don't believe i'm compromised, but of course i wonder very much
    from where/what these ip's come.
    Do have any idea/suggestion ?

    Bernd




  4. Re: foreign ip in /var/log/wtmp

    On 3 May 2007 08:58:52 -0700, Bernd wrote:
    [snip]
    >>
    >> I am not so expert as many on this group, but unless Mayer and
    >> Dietrich and Anhthu can tell you why they appear to be coming from
    >> unexpected places, I think you've been compromised.

    >
    > I don't think so (although i don't know from where these
    > ip's come from). I tested netstat -anp often, and don't
    > see any connection to these ip's. I ran tcpdump during
    > the logins, and no packets go or come from that ip. I
    > also DISCONNECTED the network cable on one machine, logged
    > on directly, and saw afterwards again the foreign (WITHOUT
    > A NETWOTK CABLE !) So i don't believe i'm compromised,
    > but of course i wonder very much from where/what these
    > ip's come. Do have any idea/suggestion ?


    You make a pretty convincing argument, and I admit I'm no longer
    at all sure that you have been compromised. Unfortunately, I also
    have to admit that you know as much about this business as I, so
    I might have little to contribute. My best guess would be that
    the utmp logging (or wtmp logging?) might be done by different
    processes depending on the type of login, and that one of those
    processes might be defective, e.g., using an out-of-date utmp.h
    file.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  5. Re: foreign ip in /var/log/wtmp

    On Thu, 03 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    , Peter Pearson wrote:

    >On 3 May 2007 02:05:55 -0700, Bernd wrote:
    >
    >> i realized foreign ip's in /var/log/wtmp, using last -i.
    >> For example:
    >> mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged in
    >> dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36 (00:29)
    >> dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06 (00:00)
    >>
    >> another machine:
    >> anhthu :0 220.202.235.183 Thu May 3 10:43 still logged in
    >> anhthu pts/0 0.0.0.0 Wed May 2 15:58 - 15:58 (00:00)
    >> anhthu :0 220.202.235.183 Wed May 2 15:58 - 15:58 (00:00)


    >How would a machine with no connection to the outside know of
    >the existence of an IP address like 220.202.235.183 ?


    I _STRONGLY_ believe this is an error - or do you want to tell us
    where 248.80.3.64 is located? I wonder if this might be related
    to IPv6. To the O/P, what are the IPv6 addresses of these boxes?
    Try '/sbin/ifconfig -a' to find out. Do you see these character strings
    _within_ the IPv6 addresses? (I'm thinking about the IPv5 Link-Local
    addresses like FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx - these are in
    hex, so the 248.80.3.64 would be 'F8 50 3 40', and 220.202.235.183 would
    be 'DC CA EB B7'.)

    Old guy

  6. Re: foreign ip in /var/log/wtmp

    On 4 Mai, 22:14, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    >
    > I _STRONGLY_ believe this is an error - or do you want to tell us
    > where 248.80.3.64 is located? I wonder if this might be related
    > to IPv6. To the O/P, what are the IPv6 addresses of these boxes?
    > Try '/sbin/ifconfig -a' to find out. Do you see these character strings
    > _within_ the IPv6 addresses? (I'm thinking about the IPv5 Link-Local
    > addresses like FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx - these are in
    > hex, so the 248.80.3.64 would be 'F8 50 3 40', and 220.202.235.183 would
    > be 'DC CA EB B7'.)
    >
    > Old guy


    Hey old guy,

    here are the results:
    On the machine with 220.202.235.183 in wtmp:
    pc51329:~ # ifconfig -a
    eth0 inet6 addr: fe80::211:11ff:fe5e:85b3/64 Scope:Link

    On the machine with 248.80.3.64 in wtmp:
    pc51332:~ # ifconfig -a
    eth0 inet6 addr: fe80::211:11ff:fe3f:3aa3/64 Scope:Link

    so, no hit.

    Should i try to switch off IPv6 shortly, for testing, and then login
    again ?
    I think we don't need it in our network (who actually does ?)
    How can i do that ?
    Bernd
    BTW: What means O/P ?


  7. Re: foreign ip in /var/log/wtmp

    Bernd wrote:


    > i realized foreign ip's in /var/log/wtmp, using last -i.
    > For example:
    > mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged
    > in
    > dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36
    > (00:29)
    > dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06
    > (00:00)
    >
    > another machine:
    > anhthu :0 220.202.235.183 Thu May 3 10:43 still logged
    > in
    > anhthu pts/0 0.0.0.0 Wed May 2 15:58 - 15:58
    > (00:00)
    > anhthu :0 220.202.235.183 Wed May 2 15:58 - 15:58
    > (00:00)


    > The foreign always appears only while doing an x-login (xdm or kdm).
    > Login's via ssh are always tracked with the right ip.


    The only other points I'd like to mention (that I haven't seen mentioned yet) are:

    * possible SSH forwarding/X forwarding being abused here? Think about ssh configs
    such as:

    AllowTcpForwarding
    GatewayPorts
    X11Forwarding
    X11DisplayOffset
    X11UseLocalhost


    * there was/were a number of holes in recent X Window.

    When you say you pulled the network connections but the IP addresses remain, then either

    - your resolver is broken (listing wrong addresses) or misconfigured

    - there is another interface you've overlooked (maybe wireless?)

    - the logging system is malfuctioning. Since it reports correctly (or
    seems to) everything but only those few IP addresses are out of place,
    this seems unlikely.

    - possibly a user has changed network parameters...you may be looking
    for ipv4 connections when someone set up a ipv6 and/or tunnel
    interface? Without sitting at the machine I can only guess about your
    setup.

    - something really weird is going on


    > I don't think that i'm hacked, but i liked very much to know from
    > where these foreign ip's come.



    The Chinanet address is highly suspicious. I had so many SSH attack
    attempts from there (and other attacks) that I finally ended up
    dropping all traffic from the area.

    Remember if you are hacked, you can't trust the output of the tools on
    any system connected with the system in question and obvisouly not the
    system itself. Connections or processes can be hid, logs might be
    editted or wiped.


    Do you have 'lsof' tool? When the suspicious IP address shows up, use
    lsof -i4 -n | grep to find the PID. Then strace -p
    PID and see just what its doing. I'd run a sniffer in premiscuous mode
    in a location that could see all traffic in and out, possibly on the
    box that is routing.



  8. Re: foreign ip in /var/log/wtmp

    On 5 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178379201.268595.37920@q75g2000hsh.googlegroups.c om>, Bernd wrote:

    > ibupro...@painkiller.example.tld (Moe Trin) wrote:


    >> (I'm thinking about the IPv5 Link-Local addresses like
    >> FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx - these are in hex, so the
    >> 248.80.3.64 would be 'F8 50 3 40', and 220.202.235.183 would be
    >> 'DC CA EB B7'.)


    >On the machine with 220.202.235.183 in wtmp:
    >pc51329:~ # ifconfig -a
    >eth0 inet6 addr: fe80::211:11ff:fe5e:85b3/64 Scope:Link
    >
    >On the machine with 248.80.3.64 in wtmp:
    >pc51332:~ # ifconfig -a
    >eth0 inet6 addr: fe80::211:11ff:fe3f:3aa3/64 Scope:Link
    >
    >so, no hit.


    Agreed - not even if you shift the bits about. Well, it was a guess.

    >Should i try to switch off IPv6 shortly, for testing, and then login
    >again ?


    It's fairly simple to do - so it might be worth a shot.

    >I think we don't need it in our network (who actually does ?)


    [compton ~]$ zgrep -c DE IPv6.current.data.gz
    128
    [compton ~]$

    While Germany does have 128 IPv6 assignments/allocations, and Europe is
    in the lead of IPv6 deployment, The fact that your systems have only
    the Link Local addresses (fe80: as opposed to a 2xxx address

    [compton ~]$ zgrep -c DE IPv6.current.data.gz | cut -d' ' -f2 | cut
    -d':' -f1 | uniq -c | column
    115 2001 1 2003 1 2a00 11 2a01
    [compton ~]$

    suggests you are not connected to an IPv6 capable upstream.

    >How can i do that ?


    I'm not using SuSE, but this should be a setting in YaST. Try looking
    at groups.google.com in the alt.os.linux.suse or alt.linux.suse
    newsgroups.

    >BTW: What means O/P ?


    http://www.acronymfinder.com/af-query.asp?Acronym=O/P

    Original Poster

    Old guy


  9. Re: foreign ip in /var/log/wtmp

    On Sat, 05 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <133q23todpmg3fe@corp.supernews.com>, jayjwa@hotmail.com wrote:

    >Bernd wrote:


    >> mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged in


    >> another machine:
    >>
    >> anhthu :0 220.202.235.183 Thu May 3 10:43 still logged in


    >The only other points I'd like to mention (that I haven't seen mentioned
    >yet) are:
    >
    >* possible SSH forwarding/X forwarding being abused here?


    Re-read his responses - the IPs appear in the log when then network cable
    is disconnected as well.

    >The Chinanet address is highly suspicious.


    And where is the "248.80.3.64" address coming from?

    >I had so many SSH attack attempts from there (and other attacks) that I
    >finally ended up dropping all traffic from the area.


    Are you a world traveler, subject to being located in any country at a
    moment's notice? If not, then why are you accepting SSH connections
    from a place you will never be located? See my responses in the thread
    "any way to confirm break-in?' from about a week ago - I allow SSH
    convections from exactly 1545 IP addresses (a /22. two /24s, and nine
    specific hosts) ONLY. If I'm going on a trip and need to allow access
    from other addresses, I can do so - but for now - 1545 addresses.

    >Do you have 'lsof' tool? When the suspicious IP address shows up, use
    >lsof -i4 -n | grep to find the PID.


    Now that's a very good point - one that I missed, although I'd initially
    skip the pipe to grep.

    Old guy


  10. Re: foreign ip in /var/log/wtmp

    hello,

    first thanks for all your contribution.
    I'm glad about getting answers and suggestions.
    Next i will switch off IPv6 and see what's going on. The results i
    will post here. But it might take a short while.

    >Do you have 'lsof' tool? When the suspicious IP address shows up, use
    >lsof -i4 -n | grep to find the PID.


    I checked several time with netstat -anp. This should be the same ?
    There was no connection to this ip.

    >And where is the "248.80.3.64" address coming from?


    This is a special adress range for experimental reasons, e.g.
    Multicast.
    See http://www.faqs.org/docs/linux_netwo...addresses.html

    >- there is another interface you've overlooked (maybe wireless?)

    Definetly no WLAN-Card in these machines.

    >I'd run a sniffer in premiscuous mode
    >in a location that could see all traffic in and out, possibly on the
    >box that is routing.

    I did that already with tcpdump during the logins (which always end in
    logging the foreign IP).
    But i didn't have any packet to or from that ip.

    I will post further results here.
    Maybe you have other suggestions.
    Thanks again.

    Bernd






  11. Re: foreign ip in /var/log/wtmp

    On May 3, 5:05 am, Bernd wrote:
    > i realized foreign ip's in /var/log/wtmp, using last -i.
    > For example:
    > mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged
    > in
    > dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36
    > (00:29)
    > dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06
    > (00:00)


    Hey Bernd,

    I just wanted to say that i do also see foreign IPs in the output of
    'last -i'. My machine is mostly used as desktop environment, so
    logins by remote users are rather uncommon.
    The fact, that according to 'last -i' even reboots are caused by
    remote sessions (which definitelly is wrong) for me leads to the
    assumption that maybe 'last' is broken.

    Here is some example of output of 'last -i':
    user1 pts/0 0.0.0.0 Wed May 2 14:07 - 14:27
    (00:20)
    user1 tty6 39.6.1.0 Wed May 2 13:33 - 15:14
    (01:41)
    root tty1 181.0.1.0 Wed May 2 13:33 - 01:00
    (11:27)
    user1 :0 0.0.0.0 Wed May 2 13:32 - down
    (12:18)
    reboot system boot 79.50.8.0 Wed May 2 13:30 - 01:50
    (12:20)
    user1 tty8 0.0.0.0 Wed May 2 02:59 - 03:09
    (00:10)

    As you can see, mostly local virtual consoles (tty1-8) are opened by
    remote logins. AFAIK this again is not possible. :0 and pts/0 are X11
    logins, so at least it is not related to the Xserver.

    Just wanted to share my experiences with you.

    greetings,
    comolik


  12. Re: foreign ip in /var/log/wtmp

    On 7 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178524078.761297.70060@u30g2000hsc.googlegroups.c om>, Bernd wrote:

    >>Do you have 'lsof' tool? When the suspicious IP address shows up, use
    >>lsof -i4 -n | grep to find the PID.

    >
    >I checked several time with netstat -anp. This should be the same ?
    >There was no connection to this ip.


    I think 'lsof' might be more versatile, but both netstat. lsof and fuser
    will only show useful information while a connection exists.

    >>And where is the "248.80.3.64" address coming from?

    >
    >This is a special adress range for experimental reasons, e.g.
    >Multicast.
    >See http://www.faqs.org/docs/linux_netwo...addresses.html


    From RFC3330

    240.0.0.0/4 - This block, formerly known as the Class E address
    space, is reserved. The "limited broadcast" destination address
    255.255.255.255 should never be forwarded outside the (sub-)net of
    the source. The remainder of this space is reserved for future use.
    [RFC1700, page 4]

    RFC1700 (Assigned Numbers October 1994) was replaced in October 2002
    (RFC3232) by an on-line database, and the document that seems to be
    authoritative (http://www.iana.org/assignments/ipv4-address-space)
    merely marks the block as reserved. RFC1812 (Requirements for IP
    Version 4 Routers - which retains the old definition of 240.0.0.0/4 as
    "Experimental") requires (paragraph 5.3.7 Martian Address Filtering)
    that routers "SHOULD NOT forward" such packets. RFC2827 (and 3904)
    recommend dropping packets with these addresses at perimeters, so
    the former "Class E" addresses should simply not be seen anywhere.

    Old guy

  13. Re: foreign ip in /var/log/wtmp

    On 7 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178539039.598382.280860@h2g2000hsg.googlegroups.c om>, comolik wrote:

    >I just wanted to say that i do also see foreign IPs in the output of
    >'last -i'. My machine is mostly used as desktop environment, so
    >logins by remote users are rather uncommon.


    What distribution - what release?

    >The fact, that according to 'last -i' even reboots are caused by
    >remote sessions (which definitelly is wrong) for me leads to the
    >assumption that maybe 'last' is broken.


    That is possible

    >Here is some example of output of 'last -i':


    >user1 tty6 39.6.1.0 Wed May 2 13:33 - 15:14


    >root tty1 181.0.1.0 Wed May 2 13:33 - 01:00


    >reboot system boot 79.50.8.0 Wed May 2 13:30 - 01:50


    039/8 Apr 95 IANA - Reserved
    181/8 Apr 03 IANA - Reserved
    079/8 Aug 06 RIPE NCC (whois.ripe.net)

    The range 79.0.0.0 - 79.63.255.255 is allocated to Telecom Italia Net
    operating as an ISP, but the 79.50.8.0 address does not appear to be
    allocated to an end-user. None of these three are likely to be seen
    on the Internet.

    Old guy

  14. Re: foreign ip in /var/log/wtmp

    On May 7, 9:48 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
    > On 7 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    > <1178539039.598382.280...@h2g2000hsg.googlegroups.c om>, comolik wrote:
    > >I just wanted to say that i do also see foreign IPs in the output of
    > >'last -i'. My machine is mostly used as desktop environment, so
    > >logins by remote users are rather uncommon.

    >
    > What distribution - what release?


    I'm running debian/unstable on this machine.

    > >The fact, that according to 'last -i' even reboots are caused by
    > >remote sessions (which definitelly is wrong) for me leads to the
    > >assumption that maybe 'last' is broken.

    >
    > That is possible
    >
    > >Here is some example of output of 'last -i':
    > >user1 tty6 39.6.1.0 Wed May 2 13:33 - 15:14
    > >root tty1 181.0.1.0 Wed May 2 13:33 - 01:00
    > >reboot system boot 79.50.8.0 Wed May 2 13:30 - 01:50

    >
    > 039/8 Apr 95 IANA - Reserved
    > 181/8 Apr 03 IANA - Reserved
    > 079/8 Aug 06 RIPE NCC (whois.ripe.net)
    >
    > The range 79.0.0.0 - 79.63.255.255 is allocated to Telecom Italia Net
    > operating as an ISP, but the 79.50.8.0 address does not appear to be
    > allocated to an end-user. None of these three are likely to be seen
    > on the Internet.


    That's my point. I don't believe that these are really ips of remote
    logins.
    but still it would be interesting to know what else that may be.

    greetings,
    comolik


  15. Re: foreign ip in /var/log/wtmp

    Hello,

    here are the hottest news :-)
    I switched off the assigned ipv6-adress from the card with:
    ifconfig eth0 inet6 del adress.
    The ipv6-adress disappeared, the foreign ips shown by last not :-(

    So i tried to remove the ipv6 modul.
    rrmod -vf ipv6, after removing first another modul which needed ipv6.
    No good idea, immediately after rrmod -vf ipv6 the machine stopps.
    That's not a problem, it's just a testing enviroment.
    But how can i safely remove the ipv6 module ?

    Bernd





  16. Re: foreign ip in /var/log/wtmp

    On 8 Mai, 15:21, Bernd wrote:

    I found it out by myself:
    In /etc/modprobe.conf i changed two entries:
    - alias sit0 ipv6 to alias sit0 off
    and
    - alias net-pf-10 ipv6 to alias net-pf-10 off

    Then a reboot, and the ipv6 modul did not appear with lsmod.
    ifconfig -a showed no ipv6adress.
    Some other moduls with ip6 in their names still appeared, but i could
    easily remove them with rmmod.
    Then, finally, lsmod showed nothing with ip6 or ipv6.
    But the foreign ips in /var/log/wtmp still appeared after new logins.
    It's a shame.
    Any other idea ?

    Bernd


    > But how can i safely remove the ipv6 module ?
    >
    > Bernd




  17. Re: foreign ip in /var/log/wtmp

    Of course you do not give enough information that anyone could help you.
    What foreign IP?

    Bernd writes:

    >On 8 Mai, 15:21, Bernd wrote:


    >I found it out by myself:
    >In /etc/modprobe.conf i changed two entries:
    >- alias sit0 ipv6 to alias sit0 off
    >and
    >- alias net-pf-10 ipv6 to alias net-pf-10 off


    >Then a reboot, and the ipv6 modul did not appear with lsmod.
    >ifconfig -a showed no ipv6adress.
    >Some other moduls with ip6 in their names still appeared, but i could
    >easily remove them with rmmod.
    >Then, finally, lsmod showed nothing with ip6 or ipv6.
    >But the foreign ips in /var/log/wtmp still appeared after new logins.
    >It's a shame.
    >Any other idea ?


    >Bernd



    >> But how can i safely remove the ipv6 module ?
    >>
    >> Bernd




  18. Re: foreign ip in /var/log/wtmp

    On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178614339.434155.211400@q75g2000hsh.googlegroups. com>, comolik wrote:

    >On May 7, 9:48 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:


    >> None of these three are likely to be seen on the Internet.

    >
    >That's my point. I don't believe that these are really ips of remote
    >logins. but still it would be interesting to know what else that may be.


    I did a simplistic search through google for others reporting the problem
    and came up empty - perhaps a poor choice of keywords, but it's hard to
    say. The addresses you reported (39.6.1.0, 181.0.1.0, 79.50.8.0) are
    suspicious in that the last digit is zero - chance or probability doesn't
    support three in a row like that. The former Class E address that the O/P
    reported (248.80.3.64) is also interesting. What bothers me is the
    original posting reported this on multiple systems, but with different
    behavior - always the same on one (or more - posting not clear) box,
    while another sees "a lot of different ip's."

    I duuno.

    Old guy

  19. Re: foreign ip in /var/log/wtmp

    On 8 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1178644856.638713.154140@y80g2000hsf.googlegroups. com>, Bernd wrote:

    >I found it out by myself:
    >In /etc/modprobe.conf i changed two entries:
    >- alias sit0 ipv6 to alias sit0 off
    >and
    >- alias net-pf-10 ipv6 to alias net-pf-10 off


    My understanding is that should be

    alias net-pf-10 off

    >Then a reboot, and the ipv6 modul did not appear with lsmod.
    >ifconfig -a showed no ipv6adress.
    >Some other moduls with ip6 in their names still appeared, but i could
    >easily remove them with rmmod.
    >Then, finally, lsmod showed nothing with ip6 or ipv6.


    OK - I was going to suggest that, but you've gotten ahead of me ;-)

    >But the foreign ips in /var/log/wtmp still appeared after new logins.
    >It's a shame.


    Damn.

    >Any other idea ?


    I'm not sure that a strace may or may not help - I'll admit that I'm
    running out of ideas. The smells quite strongly of a problem with
    what-ever is writing to wtmp, but what? That's normally a login
    process. As I recall, you reported differences in the wtmp entries
    between logging in via ssh verses logging in over the console. But
    you also mention this is in a GUI login - what happens if you change
    run-levels to "3", which should give a text login - you start X with
    the 'runx' or 'startx' command after logging in if needed - but what
    does 'last' show from that text login?

    Old guy

  20. Re: foreign ip in /var/log/wtmp

    On Tue, 08 May 2007, in the Usenet newsgroup comp.os.linux.security, in article
    , Unruh wrote:

    > Of course you do not give enough information that anyone could help you.
    >What foreign IP?


    Maybe if you used a competant newsreader that can thread articles
    together, you might see that the addresses have been posted four times in
    the past week. But then, who knows, you MIGHT even learn how to trim
    posts, not top-post, etc..

    Bill, you _really_ are acting like a luser

    Old guy

+ Reply to Thread
Page 1 of 2 1 2 LastLast