[NTLUG:Discuss] suspicious output from "last -d" command
Greg Edwards
greg at nas-inet.com
Mon Oct 29 17:02:23 CDT 2007
Ed Leach wrote:
> Hello,
>
> Below is output from a "last -d" command. In the man page for last it's
> pretty clear that the -d option lists non-local logins. My machine is a
> simple Ubuntu home system - no servers. I do occasionally use ssh to
> backup to another local machine, but that wouldn't explain this output.
> I have no idea what or who these IPs are!
>
> I didn't notice any suspicious activity on my machine other than this
> output. I did a chkrootkit and it came up with nothing.
>
> After seeing this output, I have done a clean install of Gutsy since I
> was a couple versions behind anyway.
>
> So . . . could anything explain this output other than getting broken into?
>
> Thanks,
>
> Ed
>
> -------------------------------
>
> user pts/0 50.232.7.0 Fri Oct 26 11:07 - 20:49 (09:42)
Ed,
From a terminal run host or whois on the IP addresses. This will give
you somewhere to start from.
From the first IP
==================================================================
[greg at hawk sql]$ whois 50.232.7.0
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 50.0.0.0 - 50.255.255.255
CIDR: 50.0.0.0/8
NetName: RESERVED-50
NetHandle: NET-50-0-0-0-0
Parent:
NetType: IANA Reserved
Comment:
RegDate:
Updated: 2002-08-23
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse at iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse at iana.org
# ARIN WHOIS database, last updated 2007-10-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
====================================================================
--
Greg Edwards
More information about the Discuss
mailing list