Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
/var/log/wtmp hacked or not?
  • From: Karsten Schell <efbiei@xxxxxx>
  • Date: Thu, 24 Jan 2002 17:04:55 +0100
  • Message-id: <200201241559.QAA10586@xxxxxxxxxxxxxxxxxxxxxxxxx>

here is excerpt of a last-output on one of my servers, running suse 7.3,
kernel 2.4.10 at that time, iptables: (only suspicious entries listed)

****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10116+22:01
****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - down (10110+13:22
****0*** 0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39)
****0*** 0*******0*** ***** Thu Jan 1 01:00 - 01:00 (00:00)
****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 - 01:00 (-1557+-1:-3
****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 02:39 (1557+01:39)
****0*** 0*******0*** ****0*******0*** Thu Jan 1 01:00 - 01:00 (00:00)




./chkrootkit 0.35 says
deletion(s) between Mon Nov 26 20:12:47 2001 and Mon Nov 26 21:37:23 2001
3 deletion(s) between Mon Nov 26 22:33:28 2001 and Mon Nov 26 23:36:26 2001
36 deletion(s) between Mon Nov 26 23:56:41 2001 and Tue Nov 27 04:52:53 2001
8 deletion(s) between Tue Nov 27 21:51:09 2001 and Wed Nov 28 00:43:39 2001
1 deletion(s) between Wed Nov 28 21:32:43 2001 and Thu Nov 29 00:53:53 2001
13 deletion(s) between Thu Nov 29 00:53:53 2001 and Thu Nov 29 05:11:14 2001
10 deletion(s) between Thu Nov 29 05:11:19 2001 and Sun Apr 7 02:39:04 1974
1 deletion(s) between Sun Apr 7 02:39:04 1974 and Mon Dec 3 00:13:33 2001
1 deletion(s) between Wed Dec 5 14:35:24 2001 and Thu Dec 6 00:13:11 2001
7 deletion(s) between Thu Dec 6 00:19:44 2001 and Thu Dec 6 02:27:55 2001
8 deletion(s) between Thu Dec 6 02:28:00 2001 and Fri Dec 7 08:52:34 2001
2 deletion(s) between Sun Apr 7 02:39:04 1974 and Tue Dec 11 15:09:46 2001


Well chkrootkit is of course mixed up by the wrong dates (1974).

Besides the tempered wtmp there seems to be nothing wrong. Could this be
caused by some bug ? I dont find anything suspicious in the logs. the faulty
wtmp entries are within 14 days, after that no more faulty ones. What else
could I do to check the system ? Since there is nothing else wrong I don't
want to install everything from scatch when I am not sure its hacked!?
thank you

< Previous Next >
Follow Ups