| |||||||||||||
kernel.org status: hints on how to check your machine for intrusionkernel.org status: hints on how to check your machine for intrusionPosted Oct 4, 2011 11:31 UTC (Tue) by RomLWN (guest, #80615)Parent article: kernel.org status: hints on how to check your machine for intrusion
Curious to see what would happen if I try those check on my computer I have a few questions.
- with chkrootkit I see :
I'm not sure I understand what to do with it ? I looked at the wtmp log but couldn't see a clear link between the two ?
- with rpm --verify --all :
What does it mean ?
- in the /var/log/secure log files I have this recurrent message :
Thanks !
(Log in to post comments)
kernel.org status: hints on how to check your machine for intrusion Posted Oct 4, 2011 14:24 UTC (Tue) by nix (subscriber, #2304) [Link] - with rpm --verify --all : I have a few messages like : prelink: /usr/lib/libtelepathy-farsight.so.0.1.3: at least one of file's dependencies has changed since prelinking What does it mean ?prelink modifies binaries, so rpm --verify has to ask prelink to give it back the SHA-1-sum before such modification. prelink emits these messages when it's run on an executable or shared library which had a dependent library change underneath it since it was last prelinked. It's a sign that prelinking is ineffective for this library, and is not a sign of any sort of security problem. It's probably just that you run prelink at regular intervals out of cron, and updated some packages since the last run.
kernel.org status: hints on how to check your machine for intrusion Posted Oct 5, 2011 9:04 UTC (Wed) by RomLWN (guest, #80615) [Link]
Very clear, thanks !
kernel.org status: hints on how to check your machine for intrusion Posted Oct 4, 2011 22:24 UTC (Tue) by nls (guest, #80623) [Link]
I ran chkrootkit and got several "5 deletion(s) between...".
I use Fedora 15. I have two other systems running Fedora 14 which do not indicate deletions from wtmp.
I think this problem may be a bug. A search of my logs did not indicate any funny business (intrusion). I did find a very strong correlation between the time of the deletions and shutting down the system.
I compared the times of the "deletion(s)" and the /var/log/message* files by greping the rsyslogd messages associated with shutdown.
$ su -c "grep rsyslogd /var/log/messages | grep exiting"
I would be very interested if you were to find the same correlation.
I think there may be corruption at the end of wtmp at shutdown.
It makes no sense to me for a bad-hacker to try to cover his tracks at shutdown.
kernel.org status: hints on how to check your machine for intrusion Posted Oct 5, 2011 17:22 UTC (Wed) by nls (guest, #80623) [Link]
I did a fresh install of FC15 on another system. I installed chkrootkit. I rebooted. I ran chkrootkit. I got one wted message "5 deletion(s)". It appears during shutdown wtmp is being corrupted.
Checking `wted'... 5 deletion(s) between Wed Oct 5 12:43:57 2011 and Wed Oct 5 12:44:09 2011
[admin@opusrex ~]$ su -c "grep rsyslogd /var/log/messages | grep exiting"
I will report bug to Fedora.
kernel.org status: hints on how to check your machine for intrusion Posted Oct 6, 2011 9:46 UTC (Thu) by jwakely (subscriber, #60262) [Link]
I get dozens of "wted deletions" with chkrootkit on F15, which all coincide with shutting down. I also get a warning about X running without an entry in utmp. I was considering reporting it to bugzilla too, but I'll CC myself on your bugzilla report
|
|||||||||||||