# Strange "last"-Output

## Cle.o

Hello,

Since our server showed strange behaviour the last weeks (abusemessage from serverhoster because one of the virtual machines running on the server seems to cause huge amounts of traffic at some times) we started searching for potential intruders or other reasons and found this as an output from last:

)*       ***O**       **               Thu Jan  1 10:02    gone - no logout 

**       ******       w*               Thu Jan  1 10:05    gone - no logout 

**       ****f*       **               Thu Jan  1 10:02    gone - no logout 

**       **]***       **               Thu Jan  1 10:03    gone - no logout 

**       ***G**       **               Thu Jan  1 10:05    gone - no logout 

**       *F****       **               Thu Jan  1 10:04    gone - no logout 

z*       **Un**        *               Thu Jan  1 10:05    gone - no logout 

A*       *&y***       )*               Thu Jan  1 10:04    gone - no logout 

**       ***G**       N*               Thu Jan  1 10:05    gone - no logout 

**       *6****       **               Thu Jan  1 01:16    gone - no logout 

**       **_+**       **               Thu Jan  1 10:05    gone - no logout 

U*       **)*J*       **               Thu Jan  1 10:02    gone - no logout 

**       **d|3*       \*               Thu Jan  1 10:04    gone - no logout 

**       ***fn*       **               Thu Jan  1 10:02    gone - no logout 

**       ***R`*       **               Thu Jan  1 10:06    gone - no logout 

w*       **B*A*       **               Thu Jan  1 10:02    gone - no logout 

**       **7*

*       *~               Thu Jan  1 10:02    gone - no logout 

Z*       ******       **               Thu Jan  1 10:02    gone - no logout 

e*       *vq*_*       **               Thu Jan  1 10:03    gone - no logout 

%*       *6L*E*       v*               Thu Jan  1 10:03    gone - no logout 

3*       **aC**       **               Thu Jan  1 10:05    gone - no logout 

-*       **b*J*       **               Thu Jan  1 10:05    gone - no logout 

**       *f*!Q*       **               Thu Jan  1 10:04    gone - no logout 

**       **3***       **               Thu Jan  1 10:05    gone - no logout 

**       ***&**       b*               Thu Jan  1 10:02    gone - no logout 

**       *f+p**       **               Thu Jan  1 10:05    gone - no logout 

k*       ***f**       **               Thu Jan  1 10:04    gone - no logout 

**       *v****       "*               Thu Jan  1 10:04    gone - no logout 

&*       *v*b**       **               Thu Jan  1 10:05    gone - no logout 

m*       ****3*       J*               Thu Jan  1 10:05    gone - no logout 

**       *V****       **               Thu Jan  1 10:05    gone - no logout 

?*       **{B**       **               Thu Jan  1 10:05    gone - no logout 

<*       ******       **               Thu Jan  1 10:02    gone - no logout 

**       ***M**       **               Thu Jan  1 10:03    gone - no logout 

**       ***[**       **               Thu Jan  1 10:02    gone - no logout 

As you can image none of these users exist on our server - even the timestamp is broken and use of paramters -ad shows obvious invalid ip-adresses.

We cant explain that to ourselves - maybe you can help us?

Cheers,

Cle.o

----------

## eccerr0r

Well, it definitely looks corrupt... likely someone or something did a number on your wtmp file.

Make sure you're not seeing bad sectors on the hard drive that might also cause bad behavior of the machine.

A lot of times intruders mess with utmp/wtmp files to hide their presence, which is easy if they get root access or utmp group access...  Usually when someone gets access they want to keep access, so look for root kits and the such.

----------

