Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] /var/log/wtmp hacked or not?
Il 17:04, giovedì 24 gennaio 2002, Karsten Schell ha scritto:
> here is excerpt of a last-output on one of my servers, running suse 7.3,
> kernel 2.4.10 at that time, iptables: (only suspicious entries listed)
>
> ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down
> (10116+22:01 ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down
> (10110+13:22 ****0*** 0*******0*** Thu Jan 1 01:00 -
> 02:39 (1557+01:39) ****0*** 0*******0*** ***** Thu Jan 1 01:00
> - 01:00 (00:00) ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 -
> 01:00 (-1557+-1:-3 ****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00
> - 02:39 (1557+01:39) ****0*** 0*******0*** ****0*******0*** Thu Jan 1
> 01:00 - 01:00 (00:00)
>
>
>
>
> ./chkrootkit 0.35 says
> deletion(s) between Mon Nov 26 20:12:47 2001 and Mon Nov 26 21:37:23 2001
> 3 deletion(s) between Mon Nov 26 22:33:28 2001 and Mon Nov 26 23:36:26 2001
> 36 deletion(s) between Mon Nov 26 23:56:41 2001 and Tue Nov 27 04:52:53
> 2001 8 deletion(s) between Tue Nov 27 21:51:09 2001 and Wed Nov 28 00:43:39
> 2001 1 deletion(s) between Wed Nov 28 21:32:43 2001 and Thu Nov 29 00:53:53
> 2001 13 deletion(s) between Thu Nov 29 00:53:53 2001 and Thu Nov 29
> 05:11:14 2001 10 deletion(s) between Thu Nov 29 05:11:19 2001 and Sun Apr
> 7 02:39:04 1974 1 deletion(s) between Sun Apr 7 02:39:04 1974 and Mon Dec
> 3 00:13:33 2001 1 deletion(s) between Wed Dec 5 14:35:24 2001 and Thu Dec
> 6 00:13:11 2001 7 deletion(s) between Thu Dec 6 00:19:44 2001 and Thu Dec
> 6 02:27:55 2001 8 deletion(s) between Thu Dec 6 02:28:00 2001 and Fri Dec
> 7 08:52:34 2001 2 deletion(s) between Sun Apr 7 02:39:04 1974 and Tue Dec
> 11 15:09:46 2001
>
>
> Well chkrootkit is of course mixed up by the wrong dates (1974).
>
> Besides the tempered wtmp there seems to be nothing wrong. Could this be
> caused by some bug ? I dont find anything suspicious in the logs. the
> faulty wtmp entries are within 14 days, after that no more faulty ones.
> What else could I do to check the system ? Since there is nothing else
> wrong I don't want to install everything from scatch when I am not sure its
> hacked!? thank you

If you are using reiserfs, it is a wtmp corruption which can occour. I have
had the same situation once or twice. Even tripwire did not found anything.
So I think that it is a *real* chance it is a bug somewhere.

Praise

< Previous Next >
References