Hi, On Thursday 24 January 2002 18:25, Praise wrote:
Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
here is excerpt of a last-output on one of my servers, running suse 7.3, kernel 2.4.10 at that time, iptables: (only suspicious entries listed)
/* long last and chrootkit output deleted */
Well chkrootkit is of course mixed up by the wrong dates (1974).
Besides the tempered wtmp there seems to be nothing wrong. Could this be caused by some bug ? I dont find anything suspicious in the logs. the faulty wtmp entries are within 14 days, after that no more faulty ones. What else could I do to check the system ? Since there is nothing else wrong I don't want to install everything from scatch when I am not sure its hacked!? thank you
If you are using reiserfs, it is a wtmp corruption which can occour. I have had the same situation once or twice. Even tripwire did not found anything. So I think that it is a *real* chance it is a bug somewhere.
I've got the impression that the bug may not be related to reiserfs on /var. Seen it on one of my servers (SuSE 7.2), too: X******* ****X******* X*******X******* Sun Apr 7 02:37 - 01:00 (-1557+-1:-3 This machine was a fresh CD install, no open ports, only network connection was to fetch and install updates, only me logged in until the first reboot. Which makes a security breach highly unlikely, I should think. Only /home was running reiserfs, the other partitions were ext2. I could think of other possible sources for these corrupted entries: Bug in KDM? X? Last? Problem with high user-ids? (somehow SuSE 7.2 likes to reset ownership in home directories to id modulo 65534 after reboot). Well, at least I am pretty sure that it's not the footprint of a rootkit.
Praise
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany