Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
here is excerpt of a last-output on one of my servers, running suse 7.3, kernel 2.4.10 at that time, iptables: (only suspicious entries listed)
****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10116+22:01 ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10110+13:22 ****0*** 0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ***** Thu Jan 1 01:00 - 01:00 (00:00) ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - 01:00 (-1557+-1:-3 ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39) ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 01:00 (00:00)
./chkrootkit 0.35 says deletion(s) between Mon Nov 26 20:12:47 2001 and Mon Nov 26 21:37:23 2001 3 deletion(s) between Mon Nov 26 22:33:28 2001 and Mon Nov 26 23:36:26 2001 36 deletion(s) between Mon Nov 26 23:56:41 2001 and Tue Nov 27 04:52:53 2001 8 deletion(s) between Tue Nov 27 21:51:09 2001 and Wed Nov 28 00:43:39 2001 1 deletion(s) between Wed Nov 28 21:32:43 2001 and Thu Nov 29 00:53:53 2001 13 deletion(s) between Thu Nov 29 00:53:53 2001 and Thu Nov 29 05:11:14 2001 10 deletion(s) between Thu Nov 29 05:11:19 2001 and Sun Apr 7 02:39:04 1974 1 deletion(s) between Sun Apr 7 02:39:04 1974 and Mon Dec 3 00:13:33 2001 1 deletion(s) between Wed Dec 5 14:35:24 2001 and Thu Dec 6 00:13:11 2001 7 deletion(s) between Thu Dec 6 00:19:44 2001 and Thu Dec 6 02:27:55 2001 8 deletion(s) between Thu Dec 6 02:28:00 2001 and Fri Dec 7 08:52:34 2001 2 deletion(s) between Sun Apr 7 02:39:04 1974 and Tue Dec 11 15:09:46 2001
Well chkrootkit is of course mixed up by the wrong dates (1974).
Besides the tempered wtmp there seems to be nothing wrong. Could this be caused by some bug ? I dont find anything suspicious in the logs. the faulty wtmp entries are within 14 days, after that no more faulty ones. What else could I do to check the system ? Since there is nothing else wrong I don't want to install everything from scatch when I am not sure its hacked!? thank you
If you are using reiserfs, it is a wtmp corruption which can occour. I have had the same situation once or twice. Even tripwire did not found anything. So I think that it is a *real* chance it is a bug somewhere. Praise