LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

kernel.org status: hints on how to check your machine for intrusion

kernel.org status: hints on how to check your machine for intrusion

Posted Oct 4, 2011 22:24 UTC (Tue) by nls (guest, #80623)
In reply to: kernel.org status: hints on how to check your machine for intrusion by RomLWN
Parent article: kernel.org status: hints on how to check your machine for intrusion

I ran chkrootkit and got several "5 deletion(s) between...".

I use Fedora 15. I have two other systems running Fedora 14 which do not indicate deletions from wtmp.

I think this problem may be a bug. A search of my logs did not indicate any funny business (intrusion). I did find a very strong correlation between the time of the deletions and shutting down the system.

I compared the times of the "deletion(s)" and the /var/log/message* files by greping the rsyslogd messages associated with shutdown.

$ su -c "grep rsyslogd /var/log/messages | grep exiting"

I would be very interested if you were to find the same correlation.

I think there may be corruption at the end of wtmp at shutdown.

It makes no sense to me for a bad-hacker to try to cover his tracks at shutdown.

(Log in to post comments)

kernel.org status: hints on how to check your machine for intrusion

Posted Oct 5, 2011 17:22 UTC (Wed) by nls (guest, #80623) [Link]

I did a fresh install of FC15 on another system. I installed chkrootkit. I rebooted. I ran chkrootkit. I got one wted message "5 deletion(s)". It appears during shutdown wtmp is being corrupted.

Checking `wted'... 5 deletion(s) between Wed Oct 5 12:43:57 2011 and Wed Oct 5 12:44:09 2011

[admin@opusrex ~]$ su -c "grep rsyslogd /var/log/messages | grep exiting"
Password:
Oct 5 12:44:06 opusrex rsyslogd: [origin software="rsyslogd" swVersion="5.8.5" x-pid="1023" x-info="http://www.rsyslog.com"] exiting on signal 15.

I will report bug to Fedora.

kernel.org status: hints on how to check your machine for intrusion

Posted Oct 6, 2011 9:46 UTC (Thu) by jwakely (subscriber, #60262) [Link]

I get dozens of "wted deletions" with chkrootkit on F15, which all coincide with shutting down. I also get a warning about X running without an entry in utmp. I was considering reporting it to bugzilla too, but I'll CC myself on your bugzilla report

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds