Re: Strange login from /usr/bin/gnome-session

From: "E. Gwarimbo" <manulite interlife co zw>
Cc: gnome-list gnome org
Subject: Re: Strange login from /usr/bin/gnome-session
Date: Thu, 27 Oct 2005 15:32:07 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I also ran the same commands on my laptop running SuSE 9.3 and came up
with similar results. In my case however the 'alien' IP always login at
the same time as my normal login here's as

$ last -i

manulite :0           96.92.235.183    Thu Oct 27 10:46   still logged in
manulite :0           0.0.0.0          Thu Oct 27 10:46 - 10:46  (00:00)
...
manulite :0           96.92.235.183    Wed Oct 26 13:28 - 20:08  (06:39)
manulite :0           0.0.0.0          Wed Oct 26 13:28 - 13:28  (00:00)
...
manulite :0           96.92.235.183    Wed Oct 26 12:03 - 13:25  (01:21)
manulite :0           0.0.0.0          Wed Oct 26 12:03 - 12:03  (00:00)
...
manulite :0           96.92.235.183    Wed Oct 26 00:11 - 01:22  (01:11)
manulite :0           0.0.0.0          Wed Oct 26 00:11 - 00:11  (00:00)
...
manulite :0           96.92.235.183    Tue Oct 25 10:47 - 23:01  (12:13)
manulite :0           0.0.0.0          Tue Oct 25 10:47 - 10:47  (00:00)

The 0.0.0.0 login always lasts for 00:00, I also have no idea on what is
happening but i think that it might be related to the way the X server
works (i tested on another desktop running another display manager and
GUI with similar results as well).

Maybe someone knows what is going on

Regards,

Manulite

Tadej wrote:
| Hi!
|
| Just out of curiosity I ran "last -i" on my debian sarge and it came out
| with an interesting output:
|
| $ last -i
| tadej    pts/7        0.0.0.0          Wed Oct 26 13:33   still logged
| in
| tadej    pts/6        0.0.0.0          Mon Oct 24 08:35 - 13:33 (2
| +04:58)
| tadej    pts/5        0.0.0.0          Mon Oct 24 08:35   still logged
| in
| tadej    pts/4        0.0.0.0          Mon Oct 24 08:35   still logged
| in
| tadej    pts/3        0.0.0.0          Mon Oct 24 08:35   still logged
| in
| tadej    pts/2        0.0.0.0          Mon Oct 24 08:35   still logged
| in
| tadej    pts/1        0.0.0.0          Mon Oct 24 08:35   still logged
| in
| tadej    pts/0        0.0.0.0          Mon Oct 24 08:20   still logged
| in
| tadej    :0           18.205.3.64      Mon Oct 24 08:19   still logged
| in
| reboot   system boot  0.0.0.0          Mon Oct 24 08:19         (3
| +03:03)
| root     tty3         0.0.0.0          Fri Oct 21 16:19 - 16:19  (00:00)
| tadej    pts/7        0.0.0.0          Thu Oct 20 08:54 - 09:18  (00:24)
| tadej    pts/8        0.0.0.0          Mon Oct 17 09:54 - 11:00  (01:05)
| tadej    pts/8        0.0.0.0          Mon Oct 17 09:43 - 09:44  (00:01)
| tadej    pts/6        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/5        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/4        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/3        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/2        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/1        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    pts/0        0.0.0.0          Mon Oct 17 08:28 - down  (4
| +07:52)
| tadej    :0           18.205.3.64      Mon Oct 17 08:27 - down  (4
| +07:53)
| reboot   system boot  0.0.0.0          Mon Oct 17 08:27         (4
| +07:53)
|
|
| Strange, somebody from 18.205.3.64 logged on my system? And I don't run
| any server program (at least not accesible from outside my firewall).
| And as I understand :0 stands for local login?
|
|
| $ who -a
|                         Oct 24 08:19               369 id=si    term=0
| exit=0
|            system boot  Oct 24 08:19
|            run-level 2  Oct 24 08:19                   last=S
|                         Oct 24 08:19              4033 id=l2    term=0
| exit=0
| LOGIN      tty1         Oct 24 08:19              4404 id=1
| LOGIN      tty2         Oct 24 08:19              4406 id=2
| LOGIN      tty3         Oct 24 08:19              4407 id=3
| LOGIN      tty4         Oct 24 08:19              4408 id=4
| LOGIN      tty5         Oct 24 08:19              4410 id=5
| LOGIN      tty6         Oct 24 08:19              4434 id=6
| tadej    ? :0           Oct 24 08:19   ?          4629
| tadej    + pts/0        Oct 24 08:20 21:16        4725 (:0.0)
| tadej    + pts/1        Oct 24 08:35 00:06        4725 (:0.0)
| tadej    + pts/2        Oct 24 08:35 00:12        4725 (:0.0)
| tadej    + pts/3        Oct 24 08:35 00:06        4725 (:0.0)
| tadej    + pts/4        Oct 24 08:35  staro       4725 (:0.0)
| tadej    + pts/5        Oct 24 08:35 00:14        4725 (:0.0)
|            pts/6        Oct 26 13:33                 0 id=/6    term=0
| exit=0
| tadej    + pts/7        Oct 26 13:33   .          4725 (:0.0)
|
| $ ps p4629
|   PID TTY      STAT   TIME COMMAND
|  4629 ?        Ss     0:08 /usr/bin/gnome-session
|
|
|
| There's no DNS for 18.205.3.64 and it belongs to MIT:
|
| NetRange:   18.0.0.0 - 18.255.255.255
| CIDR:       18.0.0.0/8
| NetName:    MIT
| NetHandle:  NET-18-0-0-0-1
|
|
| And no record of 18.205.3.64 in any log, no netflow data from or to this
| IP, google has no record of it.
|
| Anybody have any idea how and where it came from?
|
|
| Regards, Tadej
|
| _______________________________________________
| gnome-list mailing list
| gnome-list gnome org
| http://mail.gnome.org/mailman/listinfo/gnome-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDYNbXeysSbU7xlhURAmoCAJ4q6ys8tQ8ErFb4r2pDdV9lVT/42ACfVfM1
7NXi/O5wEcUZ+TJWPI6UcdA=
=zhqY
-----END PGP SIGNATURE-----
References:
- Strange login from /usr/bin/gnome-session
  - From: Tadej
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]