Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] /var/log/wtmp hacked or not?
  • From: Benedikt Wilbertz <Benedikt.Wilbertz@xxxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 20:01:45 +0100
  • Message-id: <3C505A19.1070304@xxxxxxxxxxxx>
Martin Leweling wrote:

[...]

>
>I've got the impression that the bug may not be related to reiserfs on /var.
>Seen it on one of my servers (SuSE 7.2), too:
>X******* ****X******* X*******X******* Sun Apr 7 02:37 - 01:00 (-1557+-1:-3
>
>This machine was a fresh CD install, no open ports, only network
>connection was to fetch and install updates, only me logged in
>until the first reboot. Which makes a security breach highly unlikely, I
>should think. Only /home was running reiserfs, the other partitions
>were ext2.
>
>I could think of other possible sources for these corrupted entries:
>Bug in KDM? X? Last? Problem with high user-ids? (somehow SuSE 7.2
>likes to reset ownership in home directories to id modulo 65534 after
>reboot).
>
While monitoring /var/log/wtmp with tail -f, I discovered, that the use
of netdate added some strange characters to that file,
which could lead to such an corrupted output of last.

I tested it on SuSE 7.2, 2.2.19 with the netdate.rpm of both, SuSE 7.2
and 7.3.

Perhaps anyone can confirm this discovery.

Benedikt Wilbertz




< Previous Next >
Follow Ups