Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] /var/log/wtmp hacked or not?
  • From: Martin Leweling <lewelin@xxxxxxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 19:23:33 +0100
  • Message-id: <20020124182331.6F7871194@xxxxxxxxxxxxxxxxxxxxxxxx>
Hi,

On Thursday 24 January 2002 18:25, Praise wrote:
> Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
> > here is excerpt of a last-output on one of my servers, running suse 7.3,
> > kernel 2.4.10 at that time, iptables: (only suspicious entries listed)

/* long last and chrootkit output deleted */

> >
> > Well chkrootkit is of course mixed up by the wrong dates (1974).
> >
> > Besides the tempered wtmp there seems to be nothing wrong. Could this be
> > caused by some bug ? I dont find anything suspicious in the logs. the
> > faulty wtmp entries are within 14 days, after that no more faulty ones.
> > What else could I do to check the system ? Since there is nothing else
> > wrong I don't want to install everything from scatch when I am not sure
> > its hacked!? thank you
>
> If you are using reiserfs, it is a wtmp corruption which can occour. I have
> had the same situation once or twice. Even tripwire did not found anything.
> So I think that it is a *real* chance it is a bug somewhere.

I've got the impression that the bug may not be related to reiserfs on /var.
Seen it on one of my servers (SuSE 7.2), too:
X******* ****X******* X*******X******* Sun Apr 7 02:37 - 01:00 (-1557+-1:-3

This machine was a fresh CD install, no open ports, only network
connection was to fetch and install updates, only me logged in
until the first reboot. Which makes a security breach highly unlikely, I
should think. Only /home was running reiserfs, the other partitions
were ext2.

I could think of other possible sources for these corrupted entries:
Bug in KDM? X? Last? Problem with high user-ids? (somehow SuSE 7.2
likes to reset ownership in home directories to id modulo 65534 after
reboot).

Well, at least I am pretty sure that it's not the footprint of a rootkit.

> Praise

Regards,
Martin
--
Martin Leweling
Institut fuer Planetologie, WWU Muenster
Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany

< Previous Next >
Follow Ups
References