[plug] chkrootkit

Bernard Blackham bernard at blackham.com.au
Thu May 20 20:09:16 WST 2004


On Thu, May 20, 2004 at 06:53:26AM +0800, William Kenworthy wrote:
> I use chkrootkit on a number of machine and find that often when a
> machine crashes, it lists a deletion in wted - probably due to
> corruption of some file..  One machine is getting quite a list
> (developed over a couple of years) so I am now looking for a way to
> reset/clear this data.  Can someone help with a hint as to how this can
> be done?

I think you mean wtmp - it records who has logged into the machine
interactively in the past - the last(1) command reads this file
(indirectly).  Deleted records in wtmp generally do indicate
tampering of the records in that file.

Tools are available (or trivially written) that will erase entries
in wtmp, so for eg, as soon as a malicious hacker logs in to a
machine they can remove their trace in wtmp. This is what chkrootkit
detects.  In my experience, I've never found any other reason why
records would be deleted, so I'd be taking a closer look at the
machine, imho.

chkrootkit should also be able to determine a time range the deleted
record would have existed (by looking at the times on the records
before and after - the records are in chronological order).

Or if you're not particularly concerned, deleting /var/log/wtmp
should solve the issue (or moving it out of the way if you want to
look at it later).

And if you didn't mean wtmp, I apologise for the above rambling :)

Cheers,

Bernard.

-- 
 Bernard Blackham <bernard at blackham dot com dot au>



More information about the plug mailing list