Strange output from last command
My wtmp file seems to have some rather strange entries...
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in
pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13)
xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07)
I've replaced the legit usernames and IP's with "xxx" but left them in
for context. I'm worried that the "date" entries are a consequence of
some hacker activity, but I have been unable to find any other
symptoms. I did a web search and did not find any mention of this
sort of thing. I'm using the stable distribution of Debian, with a
2.2.17 kernel.
--Bill.
--
William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/
-
"Those are my principles. If you don't like them I have others."-Groucho Marx
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from last command
On 2001-03-21, William R. Ward wrote:
My wtmp file seems to have some rather strange entries...
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
[...]
On my debian box, rdate -s some.time.server adds similar entries to
my wtmp. I guess you synchronize your system clock using rdate, don't
you? I hope it will help.
--Bill.
Regards,
Jakub.
--
(0 Jakub Jankowski [url]: none
//\ shasta@IRCnet [uin]: 70771776
V_/_ [EMAIL PROTECTED] [cell]: 502110186
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from last command
On Wed, Mar 21, 2001 at 02:40:01PM -0800, William R. Ward wrote:
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in
pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13)
xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07)
the same thing has happened to me on a box with a crude hack...
the hack was to fetch time every hour or so from another box and adjust the
time accordingly (using rdate), the box itself is some 10 year old 486 which
had a broken bios and well.. i didn't want to spend time thinking about getting
a new bios or flashing the current one =)
try checking if you have some software that adjusts your time.
--
- Sami Haahtinen -
- 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C -
| 'If you haven't backed up your files recently, you might|
| want to back them up before installing Windows 98' |
| -- finnish windows 98 SE installation |
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from last command
"William R. Ward" wrote: I've replaced the legit usernames and IP's with "xxx" but left them in for context. I'm worried that the "date" entries are a consequence of some hacker activity, but I have been unable to find any other symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from last command
Mike Dresser writes: "William R. Ward" wrote: I've replaced the legit usernames and IP's with "xxx" but left them in for context. I'm worried that the "date" entries are a consequence of some hacker activity, but I have been unable to find any other symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it. That would explain it. I have a cron job that runs rdate and sysclock nightly to set the clock from the NIST atomic clock. --Bill. -- William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ - "Those are my principles. If you don't like them I have others."-Groucho Marx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Strange output from last command
My wtmp file seems to have some rather strange entries...
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in
pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13)
xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07)
I've replaced the legit usernames and IP's with xxx but left them in
for context. I'm worried that the date entries are a consequence of
some hacker activity, but I have been unable to find any other
symptoms. I did a web search and did not find any mention of this
sort of thing. I'm using the stable distribution of Debian, with a
2.2.17 kernel.
--Bill.
--
William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/
-
Those are my principles. If you don't like them I have others.-Groucho Marx
Re: Strange output from last command
On 2001-03-21, William R. Ward wrote:
My wtmp file seems to have some rather strange entries...
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
[...]
On my debian box, rdate -s some.time.server adds similar entries to
my wtmp. I guess you synchronize your system clock using rdate, don't
you? I hope it will help.
--Bill.
Regards,
Jakub.
--
(0 Jakub Jankowski [url]: none
//\ [EMAIL PROTECTED] [uin]: 70771776
V_/_ [EMAIL PROTECTED] [cell]: 502110186
Re: Strange output from last command
On Wed, Mar 21, 2001 at 02:40:01PM -0800, William R. Ward wrote:
xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in
pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13)
xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10)
xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17)
xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07)
the same thing has happened to me on a box with a crude hack...
the hack was to fetch time every hour or so from another box and adjust the
time accordingly (using rdate), the box itself is some 10 year old 486 which
had a broken bios and well.. i didn't want to spend time thinking about getting
a new bios or flashing the current one =)
try checking if you have some software that adjusts your time.
--
- Sami Haahtinen -
- 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C -
| 'If you haven't backed up your files recently, you might|
| want to back them up before installing Windows 98' |
| -- finnish windows 98 SE installation |
Re: Strange output from last command
William R. Ward wrote: I've replaced the legit usernames and IP's with xxx but left them in for context. I'm worried that the date entries are a consequence of some hacker activity, but I have been unable to find any other symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it.
Re: Strange output from last command
Mike Dresser writes: William R. Ward wrote: I've replaced the legit usernames and IP's with xxx but left them in for context. I'm worried that the date entries are a consequence of some hacker activity, but I have been unable to find any other symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it. That would explain it. I have a cron job that runs rdate and sysclock nightly to set the clock from the NIST atomic clock. --Bill. -- William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ - Those are my principles. If you don't like them I have others.-Groucho Marx
Re: Strange output from last command
Hello,
On Wed, Mar 21, 2001 at 02:39:39PM -0800, William R. Ward wrote:
date { Wed Mar 21 02:00 still logged in
date | Wed Mar 21 02:00 still logged in
I'm worried that the date entries are a consequence of
some hacker activity, but I have been unable to find any other
symptoms.
Are you running rdate to set your time ? It produces that behaviour.
Regards,
Robert
--Bill.
--
William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/
-
Those are my principles. If you don't like them I have others.-Groucho Marx
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
