[NTLUG:Discuss] suspicious output from "last -d" command

Leroy Tennison leroy_tennison at prodigy.net
Mon Oct 29 23:51:00 CDT 2007 

Ed Leach wrote:
> Hello,
> 
> Below is output from a "last -d" command. In the man page for last it's
> pretty clear that the -d option lists non-local logins. My machine is a
> simple Ubuntu home system - no servers. I do occasionally use ssh to
> backup to another local machine, but that wouldn't explain this output.
> I have no idea what or who these IPs are!
> 
> I didn't notice any suspicious activity on my machine other than this
> output. I did a chkrootkit and it came up with nothing.
> 
> After seeing this output, I have done a clean install of Gutsy since I
> was a couple versions behind anyway.
> 
> So . . . could anything explain this output other than getting broken into?
> 
> Thanks,
> 
> Ed
> 
> -------------------------------
> 
> user   pts/0        50.232.7.0       Fri Oct 26 11:07 - 20:49  (09:42)
> user   pts/0        21.226.7.0       Fri Oct 26 08:19 - 11:06  (02:47)
> user   pts/0        62.92.8.0        Fri Oct 26 08:14 - 08:14  (00:00)
> user   :0           localhost        Fri Oct 26 08:08 - 20:49  (12:40)
> reboot   system boot  40.123.8.0       Fri Oct 26 08:08          (12:40)
> user   pts/0        174.42.15.0      Thu Oct 25 14:16 - 20:20  (06:03)
> user   pts/0        21.193.4.0       Thu Oct 25 12:43 - 12:47  (00:03)
> user   :0           localhost        Thu Oct 25 09:55 - 20:21  (10:25)
> reboot   system boot  118.143.5.0      Thu Oct 25 09:55          (10:25)
> user   pts/1        0-2.1-85.cust.bl Wed Oct 24 13:28 - 19:51  (06:23)
> user   pts/1        8.81.13.0        Wed Oct 24 13:25 - 13:27  (00:02)
> user   pts/1        107.68.4.0       Wed Oct 24 12:47 - 13:24  (00:37)
> user   pts/0        224.95.9.0       Tue Oct 23 11:48 - 13:25 (1+01:36)
> user   :0           localhost        Tue Oct 23 11:24 - 19:51 (1+08:26)
> reboot   system boot  21.127.7.0       Tue Oct 23 11:24         (1+08:27)
> user   :0           localhost        Mon Oct 22 08:51 - 20:01  (11:09)
> reboot   system boot  c-75-65-2-0.hsd1 Mon Oct 22 08:51          (11:09)
> user   :0           localhost        Fri Oct 19 08:26 - 12:19  (03:52)
> reboot   system boot  84.116.7.0       Fri Oct 19 08:26          (03:52)
> user   pts/1        reserved-multica Thu Oct 18 14:43 - 20:48  (06:05)
> user   pts/0        153.246.10.0     Thu Oct 18 14:19 - 20:48  (06:28)
> user   :0           localhost        Thu Oct 18 14:06 - 20:48  (06:41)
> reboot   system boot  167.142.13.0     Thu Oct 18 14:06          (06:42)
> user   pts/0        0.sub-72-127-5.m Tue Oct 16 17:59 - 13:28  (19:29)
> user   :0           localhost        Tue Oct 16 10:48 - 13:28 (1+02:40)
> reboot   system boot  178.62.7.0       Tue Oct 16 10:48         (1+02:40)
> user   pts/4        182.5.14.0       Mon Oct 15 17:01 - 20:03  (03:02)
> user   pts/1        122x215x1x0.ap12 Mon Oct 15 16:30 - 20:03  (03:33)
> user   pts/4        localhost        Mon Oct 15 16:22 - 17:01  (00:38)
> user   pts/3        ALille-253-1-3-n Mon Oct 15 15:58 - 20:04  (04:05)
> user   pts/2        153.220.6.0      Mon Oct 15 15:39 - 20:03  (04:24)
> user   pts/1        176.239.11.0     Mon Oct 15 14:16 - 16:30  (02:14)
> user   pts/0        0.sub-72-110-14. Mon Oct 15 09:27 - 20:04  (10:36)
> user   :0           localhost        Mon Oct 15 08:54 - 20:04  (11:09)
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 
What really surprises me here is that your system has been rebooted from 
  seven different addresses.  And these reboots are during the day, most 
in the morning (unless your system clock is wrong).  Are you 
experiencing unexpected reboots?  I'm wondering if there is a bug in the 
output.  BTW, do you have a login ID named 'user' in your /etc/passwd file?

More information about the Discuss mailing list