Re: Strange output from "last" command
Hello, On Wed, Mar 21, 2001 at 02:39:39PM -0800, William R. Ward wrote: > date { Wed Mar 21 02:00 still logged in > date | Wed Mar 21 02:00 still logged in > I'm worried that the "date" entries are a consequence of > some hacker activity, but I have been unable to find any other > symptoms. Are you running "rdate" to set your time ? It produces that behaviour. Regards, Robert > --Bill. > > -- > William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ > - > "Those are my principles. If you don't like them I have others."-Groucho Marx > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Strange output from "last" command
Mike Dresser writes: >"William R. Ward" wrote: > >> I've replaced the legit usernames and IP's with "xxx" but left them in >> for context. I'm worried that the "date" entries are a consequence of >> some hacker activity, but I have been unable to find any other >> symptoms. I did a web search and did not find any mention of this > >if i run rdate, i get the same thing, entries as date. That's my theory as to >what's causing it. That would explain it. I have a cron job that runs rdate and sysclock nightly to set the clock from the NIST atomic clock. --Bill. -- William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ - "Those are my principles. If you don't like them I have others."-Groucho Marx
Re: Strange output from "last" command
"William R. Ward" wrote: > I've replaced the legit usernames and IP's with "xxx" but left them in > for context. I'm worried that the "date" entries are a consequence of > some hacker activity, but I have been unable to find any other > symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it.
Re: Strange output from "last" command
On Wed, Mar 21, 2001 at 02:40:01PM -0800, William R. Ward wrote: > xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in > date { Wed Mar 21 02:00 still logged in > date | Wed Mar 21 02:00 still logged in > pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in > pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13) > xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10) > xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10) > xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01) > xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17) > xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07) the same thing has happened to me on a box with a crude hack... the hack was to fetch time every hour or so from another box and adjust the time accordingly (using rdate), the box itself is some 10 year old 486 which had a broken bios and well.. i didn't want to spend time thinking about getting a new bios or flashing the current one =) try checking if you have some software that adjusts your time. -- -< Sami Haahtinen >- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- | 'If you haven't backed up your files recently, you might| | want to back them up before installing Windows 98' | | -- finnish windows 98 SE installation |
Re: Strange output from "last" command
On 2001-03-21, William R. Ward wrote: >My wtmp file seems to have some rather strange entries... > >xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in >date { Wed Mar 21 02:00 still logged in >date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. >--Bill. Regards, Jakub. -- (0> Jakub Jankowski [url]: none //\ [EMAIL PROTECTED] [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186
Re: Strange output from "last" command
Hello, On Wed, Mar 21, 2001 at 02:39:39PM -0800, William R. Ward wrote: > date { Wed Mar 21 02:00 still logged in > date | Wed Mar 21 02:00 still logged in > I'm worried that the "date" entries are a consequence of > some hacker activity, but I have been unable to find any other > symptoms. Are you running "rdate" to set your time ? It produces that behaviour. Regards, Robert > --Bill. > > -- > William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ > - > "Those are my principles. If you don't like them I have others."-Groucho Marx > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from "last" command
Mike Dresser writes: >"William R. Ward" wrote: > >> I've replaced the legit usernames and IP's with "xxx" but left them in >> for context. I'm worried that the "date" entries are a consequence of >> some hacker activity, but I have been unable to find any other >> symptoms. I did a web search and did not find any mention of this > >if i run rdate, i get the same thing, entries as date. That's my theory as to >what's causing it. That would explain it. I have a cron job that runs rdate and sysclock nightly to set the clock from the NIST atomic clock. --Bill. -- William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ - "Those are my principles. If you don't like them I have others."-Groucho Marx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from "last" command
"William R. Ward" wrote: > I've replaced the legit usernames and IP's with "xxx" but left them in > for context. I'm worried that the "date" entries are a consequence of > some hacker activity, but I have been unable to find any other > symptoms. I did a web search and did not find any mention of this if i run rdate, i get the same thing, entries as date. That's my theory as to what's causing it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from "last" command
On Wed, Mar 21, 2001 at 02:40:01PM -0800, William R. Ward wrote: > xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in > date { Wed Mar 21 02:00 still logged in > date | Wed Mar 21 02:00 still logged in > pts/1xxx.xxx.xxx.xxx Wed Mar 21 01:23 still logged in > pts/3xxx.xxx.xxx.xxx Wed Mar 21 00:09 - 01:23 (01:13) > xxx ftpd23719xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10) > xxx ftpd23714xxx.xxx.xxx.xxx Tue Mar 20 23:25 - 23:35 (00:10) > xxx ftpd23702xxx.xxx.xxx.xxx Tue Mar 20 23:24 - 23:25 (00:01) > xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 20:00 - 20:17 (00:17) > xx pts/3xxx.xxx.xxx.xxx Tue Mar 20 19:01 - 19:09 (00:07) the same thing has happened to me on a box with a crude hack... the hack was to fetch time every hour or so from another box and adjust the time accordingly (using rdate), the box itself is some 10 year old 486 which had a broken bios and well.. i didn't want to spend time thinking about getting a new bios or flashing the current one =) try checking if you have some software that adjusts your time. -- -< Sami Haahtinen >- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- | 'If you haven't backed up your files recently, you might| | want to back them up before installing Windows 98' | | -- finnish windows 98 SE installation | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from "last" command
On 2001-03-21, William R. Ward wrote: >My wtmp file seems to have some rather strange entries... > >xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in >date { Wed Mar 21 02:00 still logged in >date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. >--Bill. Regards, Jakub. -- (0> Jakub Jankowski [url]: none //\ shasta@IRCnet [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]