[plug] chkrootkit

William Kenworthy billk at iinet.net.au
Thu May 20 21:40:25 WST 2004


googling doesnt give much, but wted *may* be an editor for utmp/wtmp.  I
am loath to fiddle with those files unless I know some more about what I
am doing.  

I have seen such deletions listed in gentoo and redhat machines (esp.
weird on redhat, I did think I had a hack at one time, but it appears
that some early redhat versions actually log a UK ip number as being
logged in because of a bug!).  Ive never seen one by a breakin (or known
of a breakin on one of my machines - yet!), Ive always been able to
trace it back to a crash (hardware lockups, X hard locks and so on). 
But I am tired of seeing them in the logs and would like to safely clear
them, but information is a bit scarce.

BillK

On Thu, 2004-05-20 at 20:09, Bernard Blackham wrote:
> On Thu, May 20, 2004 at 06:53:26AM +0800, William Kenworthy wrote:
> > I use chkrootkit on a number of machine and find that often when a
> > machine crashes, it lists a deletion in wted - probably due to
> > corruption of some file..  One machine is getting quite a list
> > (developed over a couple of years) so I am now looking for a way to
> > reset/clear this data.  Can someone help with a hint as to how this can
> > be done?
> 
> I think you mean wtmp - it records who has logged into the machine
> interactively in the past - the last(1) command reads this file
> (indirectly).  Deleted records in wtmp generally do indicate
> tampering of the records in that file.
> 
> Tools are available (or trivially written) that will erase entries
> in wtmp, so for eg, as soon as a malicious hacker logs in to a
> machine they can remove their trace in wtmp. This is what chkrootkit
> detects.  In my experience, I've never found any other reason why
> records would be deleted, so I'd be taking a closer look at the
> machine, imho.
> 
> chkrootkit should also be able to determine a time range the deleted
> record would have existed (by looking at the times on the records
> before and after - the records are in chronological order).
> 
> Or if you're not particularly concerned, deleting /var/log/wtmp
> should solve the issue (or moving it out of the way if you want to
> look at it later).
> 
> And if you didn't mean wtmp, I apologise for the above rambling :)
> 
> Cheers,
> 
> Bernard.




More information about the plug mailing list