BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange connections on login.

Subject: Strange connections on login.
From: dlapointe at attbi.com (David Lapointe)
Date: Tue, 21 Jan 2003 07:51:36 -0500

On the alt.os.linux.mandrake list mr e reported strange results from his
computer and asked if others had similar results.

Running 'last -aidx'  I get the same results that he did, i.e. a connection 
to 143.132.4.8 on login.  

david    pts/0        Tue Jan 14 07:27   still logged in    0.0.0.0
david    :0           Tue Jan 14 07:26    gone - no logout  143.132.4.8
runlevel (to lvl 5)   Tue Jan 14 07:24 - 08:04  (00:40)     0.0.0.0
reboot   system boot  Tue Jan 14 07:24          (00:40)     0.0.0.0
shutdown system down  Tue Jan 14 06:51 - 08:04  (01:13)     0.0.0.0
runlevel (to lvl 6)   Tue Jan 14 06:51 - 06:51  (00:00)     0.0.0.0
david    pts/0        Tue Jan 14 05:35 - down   (01:15)     0.0.0.0
david    :0           Tue Jan 14 05:34 - down   (01:16)     143.132.4.8
runlevel (to lvl 5)   Tue Jan 14 05:29 - 06:51  (01:21)     0.0.0.0
reboot   system boot  Tue Jan 14 05:29          (01:21)     0.0.0.0
shutdown system down  Mon Jan 13 07:38 - 06:51  (23:13)     0.0.0.0
runlevel (to lvl 0)   Mon Jan 13 07:37 - 07:38  (00:00)     0.0.0.0
david    pts/0        Mon Jan 13 06:04 - down   (01:33)     0.0.0.0
david    :0           Mon Jan 13 06:03 - down   (01:33)     143.132.4.8
runlevel (to lvl 5)   Mon Jan 13 06:02 - 07:37  (01:34)     0.0.0.0
reboot   system boot  Mon Jan 13 06:02          (01:34)     0.0.0.0

I have two computers that show this behavior and two that don't.   The two 
that do are dual-boot (Linux/Ww2K) and I use the NT Bootloader on both 
computers.  

Here's the strange part. I did a fresh install of Mandrake 9.0 on my laptop, 
which showed the above log before the new install, with no network 
connection.  Using the  freshly made bootdisk,  I did not get this  :0  line 
in the 'last -aidx' output.   However, when I set up the NTBootloader to boot 
into Linux, this line came back but to a different location which resolved to 
a Genuity address (8.27.1.64)  using arin whois.  143.132.4.8 apparently 
traceroutes to an ARMY.MIL site.  Interestingly, rebooting with the floppy 
bootdisk, now shows this line. 'who' also shows the :0 session, which I have 
not seen before.

I am really curious what is doing this.  I keep my virus protection current 
in W2K but maybe it's not a virus.  Who knows maybe M$ has pushed code into 
their bootloader to check for linux.  I might try going back to putting LILO 
in the MBR.

Any clues?

-- 
 .david
 David Lapointe
"A mind stretched to a new idea never returns to its original dimensions"
Oliver Wendell Holmes

Follow-Ups:
- Strange connections on login.
  - From: gaf at blu.org (Jerry Feldman)
- Strange connections on login.
  - From: wizard at neonedge.com (Wizard)

Prev by Date: SIGKILL
Next by Date: Strange connections on login.
Previous by thread: SIGKILL
Next by thread: Strange connections on login.
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org