"last" handles IPv6 in utmp/wtmp correctly as far as I know, but I also know that ssh did not in previous versions at least. Not sure what current versions do.
So I guess last just shows you what actually is logged in /var/log/wtmp, and if it's junk, it's junk ...
I may have been jumping to conclusions.
I think the culprit is sessreg being called by gdm when someone logs in here is some output
last c511094 mc3273.uad.a mc3273.uad.ac.uk Thu Apr 7 09:18 - 09:19 (00:01)
last -i
c511094 mc3273.uad.a 112.191.21.64 Thu Apr 7 09:18 - 09:19 (00:01)
(the ip should be 193.60.161.86)Have looked at wtmp and yes you are right the false ip is in there.
-- Jason Cormie
signature.asc
Description: OpenPGP digital signature
