Jon Clausen wrote: > > Hi list > > I've been monitoring the list for a while now. Seems there are some very > knowledgeable people here. Originally I was going to ask about some > vpn-stuff, but then this happened: > > Running Dachstein on a three-way box with LAN (192.*.*.*) and DMZ (10.*.*.*), > at a remote location. Everything seems to work (well pretty much anyway). I > have web, mail, ftp and ssh forwarded through to dmz-host. As I logged in on > the dach-box (ssh to dmz-host, and ssh from there to dach-box) last night it > started the whole 'host unknown, somebody might be eavesdropping, do you want > to continue?'-thing. > > Now this was because I was using a host (on my home lan) that I don't usually > use for this. So I went to the machine that I *do* use for this, logged in > (no problem) first to the dmz-box, and then to the dach-box. > > I then looked at 'last', and then I got worried: > > # last > USER TTY PID TIMEON FROM > reboot ~ 0 22545 2.2.19 > root ttyp0 845 22491 192.*.*.* > root ttyp0 1532 21794 UNKNOWN > root ttyp0 1540 21791 10.*.*.* > root ttyp0 1554 21785 10.*.*.* > root ttyp0 5385 12592 10.*.*.* > root ttyp0 5505 12518 10.*.*.* > root ttyp0 6824 10156 10.*.*.* > root ttyp0 9046 5075 192.*.*.* > root ttyp0 10667 1576 10.*.*.* > root ttyp0 11313 1140 10.*.*.* > root ttyp0 11804 176 10.*.*.* > root ttyp0 12220 135 10.*.*.* > root ttyp0 12235 119 10.*.*.* > root ttyp0 12263 78 10.*.*.* > root ttyp0 12597 70 10.*.*.* > root ttyp0 13135 56 10.*.*.* > root ttyp0 13744 26 10.*.*.* > root ttyp0 13758 23 10.*.*.* > root ttyp0 13769 18 10.*.*.* > root ttyp0 13829 0 10.*.*.* > > Looking at the logs, I can see that this UNKNOWN corresponds to a root-login > yesterday *morning*. > > The only other person who has access to these systems, tells me it wasn't > him... > > Now I'm pretty new at this stuff, so I really would appreciate some opinions > on this... Should I *be* worried, is there a way to check whether stuff has > been tampered-with? > > I'll post further info, as requested/required. > > TIA > > Sincerely > > Jon Clausen
Hey Jon, I can't say for sure, but these three look too similar to be co-inkydinks: > USER TTY PID TIMEON FROM > root ttyp0 1532 21794 UNKNOWN > root ttyp0 1540 21791 10.*.*.* > root ttyp0 1554 21785 10.*.*.* Don't you think there's some similarity? It difficult to get those so sequential, wouldn't you think? Could the unknown be from a login that didn't finish for some innocent reason? Matt _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
