/var/log/wtmp hacked or not?
here is excerpt of a last-output on one of my servers, running suse 7.3, kernel 2.4.10 at that time, iptables: (only suspicious entries listed) ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10116+22:01 ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10110+13:22 ****0*** 0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ***** Thu Jan 1 01:00 - 01:00 (00:00) ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - 01:00 (-1557+-1:-3 ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 01:00 (00:00) ./chkrootkit 0.35 says deletion(s) between Mon Nov 26 20:12:47 2001 and Mon Nov 26 21:37:23 2001 3 deletion(s) between Mon Nov 26 22:33:28 2001 and Mon Nov 26 23:36:26 2001 36 deletion(s) between Mon Nov 26 23:56:41 2001 and Tue Nov 27 04:52:53 2001 8 deletion(s) between Tue Nov 27 21:51:09 2001 and Wed Nov 28 00:43:39 2001 1 deletion(s) between Wed Nov 28 21:32:43 2001 and Thu Nov 29 00:53:53 2001 13 deletion(s) between Thu Nov 29 00:53:53 2001 and Thu Nov 29 05:11:14 2001 10 deletion(s) between Thu Nov 29 05:11:19 2001 and Sun Apr 7 02:39:04 1974 1 deletion(s) between Sun Apr 7 02:39:04 1974 and Mon Dec 3 00:13:33 2001 1 deletion(s) between Wed Dec 5 14:35:24 2001 and Thu Dec 6 00:13:11 2001 7 deletion(s) between Thu Dec 6 00:19:44 2001 and Thu Dec 6 02:27:55 2001 8 deletion(s) between Thu Dec 6 02:28:00 2001 and Fri Dec 7 08:52:34 2001 2 deletion(s) between Sun Apr 7 02:39:04 1974 and Tue Dec 11 15:09:46 2001 Well chkrootkit is of course mixed up by the wrong dates (1974). Besides the tempered wtmp there seems to be nothing wrong. Could this be caused by some bug ? I dont find anything suspicious in the logs. the faulty wtmp entries are within 14 days, after that no more faulty ones. What else could I do to check the system ? Since there is nothing else wrong I don't want to install everything from scatch when I am not sure its hacked!? thank you
Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
here is excerpt of a last-output on one of my servers, running suse 7.3, kernel 2.4.10 at that time, iptables: (only suspicious entries listed)
****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10116+22:01 ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10110+13:22 ****0*** 0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ***** Thu Jan 1 01:00 - 01:00 (00:00) ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - 01:00 (-1557+-1:-3 ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 01:00 (00:00)
./chkrootkit 0.35 says deletion(s) between Mon Nov 26 20:12:47 2001 and Mon Nov 26 21:37:23 2001 3 deletion(s) between Mon Nov 26 22:33:28 2001 and Mon Nov 26 23:36:26 2001 36 deletion(s) between Mon Nov 26 23:56:41 2001 and Tue Nov 27 04:52:53 2001 8 deletion(s) between Tue Nov 27 21:51:09 2001 and Wed Nov 28 00:43:39 2001 1 deletion(s) between Wed Nov 28 21:32:43 2001 and Thu Nov 29 00:53:53 2001 13 deletion(s) between Thu Nov 29 00:53:53 2001 and Thu Nov 29 05:11:14 2001 10 deletion(s) between Thu Nov 29 05:11:19 2001 and Sun Apr 7 02:39:04 1974 1 deletion(s) between Sun Apr 7 02:39:04 1974 and Mon Dec 3 00:13:33 2001 1 deletion(s) between Wed Dec 5 14:35:24 2001 and Thu Dec 6 00:13:11 2001 7 deletion(s) between Thu Dec 6 00:19:44 2001 and Thu Dec 6 02:27:55 2001 8 deletion(s) between Thu Dec 6 02:28:00 2001 and Fri Dec 7 08:52:34 2001 2 deletion(s) between Sun Apr 7 02:39:04 1974 and Tue Dec 11 15:09:46 2001
Well chkrootkit is of course mixed up by the wrong dates (1974).
Besides the tempered wtmp there seems to be nothing wrong. Could this be caused by some bug ? I dont find anything suspicious in the logs. the faulty wtmp entries are within 14 days, after that no more faulty ones. What else could I do to check the system ? Since there is nothing else wrong I don't want to install everything from scatch when I am not sure its hacked!? thank you
If you are using reiserfs, it is a wtmp corruption which can occour. I have had the same situation once or twice. Even tripwire did not found anything. So I think that it is a *real* chance it is a bug somewhere. Praise
Hello Praise, Thursday, January 24, 2002, 6:25:14 PM, you wrote: P> If you are using reiserfs, it is a wtmp corruption which can occour. I have P> had the same situation once or twice. Even tripwire did not found anything. P> So I think that it is a *real* chance it is a bug somewhere. I hope it's a bug, but I have to be sure ! No I don't use reiserfs on this system, just plain ext2. I have another similiar system with suse 7.3 , where reiserfs is installed. This system has no wtmp errors... -- Best regards, Karsten mailto:efbiei@gmx.de
Hi, On Thursday 24 January 2002 18:25, Praise wrote:
Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
here is excerpt of a last-output on one of my servers, running suse 7.3, kernel 2.4.10 at that time, iptables: (only suspicious entries listed)
/* long last and chrootkit output deleted */
Well chkrootkit is of course mixed up by the wrong dates (1974).
Besides the tempered wtmp there seems to be nothing wrong. Could this be caused by some bug ? I dont find anything suspicious in the logs. the faulty wtmp entries are within 14 days, after that no more faulty ones. What else could I do to check the system ? Since there is nothing else wrong I don't want to install everything from scatch when I am not sure its hacked!? thank you
If you are using reiserfs, it is a wtmp corruption which can occour. I have had the same situation once or twice. Even tripwire did not found anything. So I think that it is a *real* chance it is a bug somewhere.
I've got the impression that the bug may not be related to reiserfs on /var. Seen it on one of my servers (SuSE 7.2), too: X******* ****X******* X*******X******* Sun Apr 7 02:37 - 01:00 (-1557+-1:-3 This machine was a fresh CD install, no open ports, only network connection was to fetch and install updates, only me logged in until the first reboot. Which makes a security breach highly unlikely, I should think. Only /home was running reiserfs, the other partitions were ext2. I could think of other possible sources for these corrupted entries: Bug in KDM? X? Last? Problem with high user-ids? (somehow SuSE 7.2 likes to reset ownership in home directories to id modulo 65534 after reboot). Well, at least I am pretty sure that it's not the footprint of a rootkit.
Praise
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
Martin Leweling wrote: [...]
I've got the impression that the bug may not be related to reiserfs on
/var.
Seen it on one of my servers (SuSE 7.2), too: X******* ****X******* X*******X******* Sun Apr 7 02:37 - 01:00 (-1557+-1:-3
This machine was a fresh CD install, no open ports, only network connection was to fetch and install updates, only me logged in until the first reboot. Which makes a security breach highly unlikely, I should think. Only /home was running reiserfs, the other partitions were ext2.
I could think of other possible sources for these corrupted entries: Bug in KDM? X? Last? Problem with high user-ids? (somehow SuSE 7.2 likes to reset ownership in home directories to id modulo 65534 after reboot).
While monitoring /var/log/wtmp with tail -f, I discovered, that the use of netdate added some strange characters to that file, which could lead to such an corrupted output of last. I tested it on SuSE 7.2, 2.2.19 with the netdate.rpm of both, SuSE 7.2 and 7.3. Perhaps anyone can confirm this discovery. Benedikt Wilbertz
Il 20:01, giovedì 24 gennaio 2002, Benedikt Wilbertz ha scritto:
While monitoring /var/log/wtmp with tail -f, I discovered, that the use of netdate added some strange characters to that file, which could lead to such an corrupted output of last.
I tested it on SuSE 7.2, 2.2.19 with the netdate.rpm of both, SuSE 7.2 and 7.3.
Perhaps anyone can confirm this discovery.
Benedikt Wilbertz
Yes, it's happening here too. I am using Suse 7.1 with Kernel 2.4.16, but it was the same with older kernels. I also have noticed that when I try last just after netdate, the output is almost empty (ie, it reports only the time when wtmp starts is reported). Btw, it gets back if I login after netdate. So it looks there must be a bug in netdate after all! Praise
Hi, On Thu, 24 Jan 2002, Praise wrote:
Perhaps anyone can confirm this discovery.
Same here - noticed it on 7.1 and 7.2 Didn't occur on 6.4 boxes Matthias -- Matthias Schloegel University of Technology Vienna Inst. f. Information Systems Knowledge Based Systems Group Favoritenstr.9-11 A-1040 Vienna, AUSTRIA email : matthias@kr.tuwien.ac.at
participants (5)
-
Benedikt Wilbertz -
Karsten Schell -
Martin Leweling -
Matthias Schloegel -
Praise