Yohei, Martin Knipper wrote:
Hi at all,
I was running chkrootkit (www.chkrootkit.org) two days ago and everything seemed to be normal output. Except this:
[...] Checking `wted'... 2 deletion(s) between Tue Apr 16 18:11:18 2002 and Thu Apr 18 21:43:32 2002
[...] wted is a quite common tool in the cracker scene for clearing the wtmp/utmp from specific user entries. Chkrootkit's assumption of 2 deleted lines in these files are based on certain traces wted leaves behind. However, I've seen false positives for this with chkrootkit as well, so it's best to do some more checks before ringing the alarm bell. Also, make sure you use the latest version of chkrootkit. Clearing of traces of intrusions by deleting suspicious entries from various logfiles is called "sys phogging", "log phogging" or "de-logging", a common technique used by attackers to hide their tracks. There are countless tools out there for this purpose; wted is just one of them. wted also is part of many root kits (for ex. the well-known Linux RootKit II/III).
regards ---Martin
Boris Lorenz