Security Incidents mailing list archives

Re: Openbsd 3.2 wtmp delay and named backdoor

From: Valdis.Kletnieks () vt edu
Date: Mon, 20 Jan 2003 00:34:51 -0500

On Wed, 15 Jan 2003 14:19:52 GMT, Eric Weaver <internet () whttp com>  said:

Can anyone explain what would cause a wtmp delay like this? Notice I am 
invisible, until the third iteration of 'w'. I hope this is nothing more 
than some sort of filesystem lag or sshd delay.


Does your system use a 'utempter' type program to write to utmp?

<suser@silver:/home/suser:3>$ w
 5:37AM  up 5 days,  1:35, 0 users, load averages: 0.42, 0.16, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
<suser@silver:/home/suser:4>$ w
 5:37AM  up 5 days,  1:36, 1 user, load averages: 0.38, 0.15, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
suser    p0 192.168.25.104    5:37AM     0 w


If so, it may have been busy trying to do an eventually-failed PTR
lookup for your 1918-space address (note the 192.168.25.104 rather than
a hostname)...


-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Openbsd 3.2 wtmp delay and named backdoor Eric Weaver (Jan 19)
- Message not available
  - Re: Openbsd 3.2 wtmp delay and named backdoor Jose Nazario (Jan 23)
- Re: Openbsd 3.2 wtmp delay and named backdoor Valdis . Kletnieks (Jan 23)