Re: foreign ip in /var/log/wtmp

Bernd <bernd.lentes@xxxxxxxx> wrote:


i realized foreign ip's in /var/log/wtmp, using last -i.
For example:
mayer :0 248.80.3.64 Tue Apr 24 13:39 still logged
in
dietrich :0 248.80.3.64 Tue Apr 24 13:06 - 13:36
(00:29)
dietrich :0 248.80.3.64 Tue Apr 24 13:05 - 13:06
(00:00)

another machine:
anhthu :0 220.202.235.183 Thu May 3 10:43 still logged
in
anhthu pts/0 0.0.0.0 Wed May 2 15:58 - 15:58
(00:00)
anhthu :0 220.202.235.183 Wed May 2 15:58 - 15:58
(00:00)

The foreign always appears only while doing an x-login (xdm or kdm).
Login's via ssh are always tracked with the right ip.

The only other points I'd like to mention (that I haven't seen mentioned yet) are:

* possible SSH forwarding/X forwarding being abused here? Think about ssh configs
such as:

AllowTcpForwarding
GatewayPorts
X11Forwarding
X11DisplayOffset
X11UseLocalhost


* there was/were a number of holes in recent X Window.

When you say you pulled the network connections but the IP addresses remain, then either

- your resolver is broken (listing wrong addresses) or misconfigured

- there is another interface you've overlooked (maybe wireless?)

- the logging system is malfuctioning. Since it reports correctly (or
seems to) everything but only those few IP addresses are out of place,
this seems unlikely.

- possibly a user has changed network parameters...you may be looking
for ipv4 connections when someone set up a ipv6 and/or tunnel
interface? Without sitting at the machine I can only guess about your
setup.

- something really weird is going on ;)


I don't think that i'm hacked, but i liked very much to know from
where these foreign ip's come.


The Chinanet address is highly suspicious. I had so many SSH attack
attempts from there (and other attacks) that I finally ended up
dropping all traffic from the area.

Remember if you are hacked, you can't trust the output of the tools on
any system connected with the system in question and obvisouly not the
system itself. Connections or processes can be hid, logs might be
editted or wiped.


Do you have 'lsof' tool? When the suspicious IP address shows up, use
lsof -i4 -n | grep <the IP address> to find the PID. Then strace -p
PID and see just what its doing. I'd run a sniffer in premiscuous mode
in a location that could see all traffic in and out, possibly on the
box that is routing.


.

Loading