[NTLUG:Discuss] suspicious output from "last -d" command

Ed Leach ntlug at levelofdetail.com
Mon Oct 29 16:57:28 CDT 2007 

Hello,

Below is output from a "last -d" command. In the man page for last it's
pretty clear that the -d option lists non-local logins. My machine is a
simple Ubuntu home system - no servers. I do occasionally use ssh to
backup to another local machine, but that wouldn't explain this output.
I have no idea what or who these IPs are!

I didn't notice any suspicious activity on my machine other than this
output. I did a chkrootkit and it came up with nothing.

After seeing this output, I have done a clean install of Gutsy since I
was a couple versions behind anyway.

So . . . could anything explain this output other than getting broken into?

Thanks,

Ed

-------------------------------

user   pts/0        50.232.7.0       Fri Oct 26 11:07 - 20:49  (09:42)
user   pts/0        21.226.7.0       Fri Oct 26 08:19 - 11:06  (02:47)
user   pts/0        62.92.8.0        Fri Oct 26 08:14 - 08:14  (00:00)
user   :0           localhost        Fri Oct 26 08:08 - 20:49  (12:40)
reboot   system boot  40.123.8.0       Fri Oct 26 08:08          (12:40)
user   pts/0        174.42.15.0      Thu Oct 25 14:16 - 20:20  (06:03)
user   pts/0        21.193.4.0       Thu Oct 25 12:43 - 12:47  (00:03)
user   :0           localhost        Thu Oct 25 09:55 - 20:21  (10:25)
reboot   system boot  118.143.5.0      Thu Oct 25 09:55          (10:25)
user   pts/1        0-2.1-85.cust.bl Wed Oct 24 13:28 - 19:51  (06:23)
user   pts/1        8.81.13.0        Wed Oct 24 13:25 - 13:27  (00:02)
user   pts/1        107.68.4.0       Wed Oct 24 12:47 - 13:24  (00:37)
user   pts/0        224.95.9.0       Tue Oct 23 11:48 - 13:25 (1+01:36)
user   :0           localhost        Tue Oct 23 11:24 - 19:51 (1+08:26)
reboot   system boot  21.127.7.0       Tue Oct 23 11:24         (1+08:27)
user   :0           localhost        Mon Oct 22 08:51 - 20:01  (11:09)
reboot   system boot  c-75-65-2-0.hsd1 Mon Oct 22 08:51          (11:09)
user   :0           localhost        Fri Oct 19 08:26 - 12:19  (03:52)
reboot   system boot  84.116.7.0       Fri Oct 19 08:26          (03:52)
user   pts/1        reserved-multica Thu Oct 18 14:43 - 20:48  (06:05)
user   pts/0        153.246.10.0     Thu Oct 18 14:19 - 20:48  (06:28)
user   :0           localhost        Thu Oct 18 14:06 - 20:48  (06:41)
reboot   system boot  167.142.13.0     Thu Oct 18 14:06          (06:42)
user   pts/0        0.sub-72-127-5.m Tue Oct 16 17:59 - 13:28  (19:29)
user   :0           localhost        Tue Oct 16 10:48 - 13:28 (1+02:40)
reboot   system boot  178.62.7.0       Tue Oct 16 10:48         (1+02:40)
user   pts/4        182.5.14.0       Mon Oct 15 17:01 - 20:03  (03:02)
user   pts/1        122x215x1x0.ap12 Mon Oct 15 16:30 - 20:03  (03:33)
user   pts/4        localhost        Mon Oct 15 16:22 - 17:01  (00:38)
user   pts/3        ALille-253-1-3-n Mon Oct 15 15:58 - 20:04  (04:05)
user   pts/2        153.220.6.0      Mon Oct 15 15:39 - 20:03  (04:24)
user   pts/1        176.239.11.0     Mon Oct 15 14:16 - 16:30  (02:14)
user   pts/0        0.sub-72-110-14. Mon Oct 15 09:27 - 20:04  (10:36)
user   :0           localhost        Mon Oct 15 08:54 - 20:04  (11:09)

More information about the Discuss mailing list