Cybersecurity

every time, root (or any other user) logs into the system (Suse 9.3 Linux mail server) a connection to a foreign ip (96.124.236.183) shows up.
It shows up even when I plug out the network cable and then restart the system.

I don't know if this is a security hole and how to find out more about it.

Thanks,
Simon

Code:

last -i

root     pts/1        0.0.0.0          Thu Jul 22 13:35   still logged in   
root     pts/0        0.0.0.0          Thu Jul 22 13:34   still logged in   
root     :0           96.124.236.183   Thu Jul 22 13:34   still logged in   
root     :0           0.0.0.0          Thu Jul 22 13:34 - 13:34  (00:00)    
root     pts/2        0.0.0.0          Thu Jul 22 12:06 - 12:08  (00:01)    
root     pts/1        0.0.0.0          Thu Jul 22 12:06 - 12:08  (00:02)    
root     :0           96.124.236.183   Thu Jul 22 12:05 - 12:08  (00:02)    
root     :0           0.0.0.0          Thu Jul 22 12:05 - 12:05  (00:00)    
reboot   system boot  0.0.0.0          Thu Jul 22 14:04          (00:-24)   
root     pts/1        0.0.0.0          Thu Jul 22 11:59 - 12:01  (00:01)    
root     pts/1        0.0.0.0          Thu Jul 22 11:53 - 11:59  (00:06)    
root     pts/0        0.0.0.0          Thu Jul 22 11:53 - 12:03  (00:10)    
root     :0           96.124.236.183   Thu Jul 22 11:52 - 12:03  (00:10)    
root     :0           0.0.0.0          Thu Jul 22 11:52 - 11:52  (00:00)    
reboot   system boot  0.0.0.0          Thu Jul 22 13:51          (-1:-48)   

last -a

root     pts/1        Thu Jul 22 13:35   still logged in    
root     pts/0        Thu Jul 22 13:34   still logged in    
root     :0           Thu Jul 22 13:34   still logged in    console
root     :0           Thu Jul 22 13:34 - 13:34  (00:00)     
root     pts/2        Thu Jul 22 12:06 - 12:08  (00:01)

---------- Post updated 23-07-10 at 02:22 PM ---------- Previous update was 22-07-10 at 02:53 PM ----------

Do you need more information? Is my problem to trivial?


I really would like to understand why this ip address appears at each log in. And further how much of a security issue this might be.

The second column is the type of terminal: tty for physical console, pts for pseudo-ttys and colon+integer notation you may remember from dealing with X11/Xorg. So these lines would signify not a connection to but from that system to the first X session on your mail server (aka the perceived "victim") as root account user.


- First of all (IIGC) SUSE Linux 9.3 reached EOL in the second quarter of 2007. Running a deprecated, no longer maintained and possibly vulnerable distribution release is bad (and that's an understatement).
- Secondly why a mail server should be running X11/Xorg anyway AND without any denying root logins over the network is beyond me.
- While there may be a chance there is a bug in your version of 'last' (I vaguely remember one in the RH version) I hope that, given the apparent speed this forum moves at, you did not wait but at least 0) used the firewall to deny access to the machine if this IP address does not have any business with your machine and 1) changed all passwords and 2) shut down X Windows?
- Does the IP address show up in other system or daemon logs? If so, how far back?
- Does your mail server actually run X Windows?
- Have you done any fact finding already like verifying integrity of the machine, examining configuration of network-reachable services, checking user accounts and examining system and daemon log files?

If you haven't done anything yet then it would be beneficial to consider the machine off-limits for the duration of your investigation (for all users) and to read the backup copy of the CERT/CC Intruder Detection Checklist before doing anything else. If you're ready to answer questions please be as verbose as possible.