Hi at all, I was running chkrootkit (www.chkrootkit.org) two days ago and everything seemed to be normal output. Except this: [...] Checking `wted'... 2 deletion(s) between Tue Apr 16 18:11:18 2002 and Thu Apr 18 21:43:32 2002 3 deletion(s) between Thu Apr 18 22:30:05 2002 and Mon Dec 23 09:09:48 1935 10 deletion(s) between Sat Apr 20 12:04:47 2002 and Tue Apr 23 17:10:35 2002 4 deletion(s) between Tue Apr 23 23:56:43 2002 and Wed Apr 24 23:54:18 2002 [...] Is there something I need to worry about ? regards ---Martin
Yohei, Martin Knipper wrote:
Hi at all,
I was running chkrootkit (www.chkrootkit.org) two days ago and everything seemed to be normal output. Except this:
[...] Checking `wted'... 2 deletion(s) between Tue Apr 16 18:11:18 2002 and Thu Apr 18 21:43:32 2002
[...] wted is a quite common tool in the cracker scene for clearing the wtmp/utmp from specific user entries. Chkrootkit's assumption of 2 deleted lines in these files are based on certain traces wted leaves behind. However, I've seen false positives for this with chkrootkit as well, so it's best to do some more checks before ringing the alarm bell. Also, make sure you use the latest version of chkrootkit. Clearing of traces of intrusions by deleting suspicious entries from various logfiles is called "sys phogging", "log phogging" or "de-logging", a common technique used by attackers to hide their tracks. There are countless tools out there for this purpose; wted is just one of them. wted also is part of many root kits (for ex. the well-known Linux RootKit II/III).
regards ---Martin
Boris Lorenz <bolo@lupa.de> ---
participants (2)
-
Boris Lorenz -
Martin Knipper