Greetings, I discovered some strange output of the last command on our Woody Terminalserver (for X11). I have already posted it on debian-user-german, but I didn't get any answer. (I hope you don't mind, if I post it for the english speaking majority) Although I hope it is not security related, I thing, it may have a security related aspect, which I cannot ignore.
At first a run ordinary chkrootkit scan (like I do it every one or two weeks). This time, it discovered: Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun Apr 7 02:03:36 1974 3 deletion(s) between Sun Apr 7 02:03:36 1974 and Tue Feb 3 09:08:53 2004 35 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 4 09:38:39 2004 13 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 4 23:41:11 2004 101 deletion(s) between Thu Feb 5 00:02:52 2004 and Wed Mar 25 18:24:58 1970 1 deletion(s) between Wed Mar 25 18:24:58 1970 and Wed Mar 25 18:24:58 1970 8 deletion(s) between Sun Apr 7 02:03:36 1974 and Mon Feb 9 09:01:04 2004 8 deletion(s) between Sun Jan 25 08:20:56 2004 and Tue Feb 10 10:56:08 2004 8 deletion(s) between Tue Feb 10 10:57:03 2004 and Tue Feb 10 12:09:25 2004 1 deletion(s) between Sun Jan 25 08:20:56 2004 and Tue Feb 10 13:40:32 2004 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974 31 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 13 09:32:27 2004 2 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 13 11:51:10 2004 2 deletion(s) between Fri Feb 13 11:51:41 2004 and Sat Feb 14 21:11:51 2004 14 deletion(s) between Sun Feb 15 10:19:39 2004 and Sun Apr 7 02:03:36 1974 47 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 18 14:27:08 2004 19 deletion(s) between Thu Feb 19 00:19:47 2004 and Fri Feb 20 09:28:55 2004 20 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 20 14:09:22 2004 sadly (or luckily ;) no other routing found anything else. This output is quite strage. While nearly all entries are releated to 2004 others went back to 1974 or even 1970. So I suspected a corrupt database and the output of last seem to endorse my suspecion. root pts/2 192.168.1.253 Fri Feb 20 14:13 still logged in root pts/1 192.168.1.253 Fri Feb 20 14:10 still logged in root pts/1 192.168.1.253 Fri Feb 20 14:09 - 14:09 (00:00) Ok, that's correct rucker:0 [EMAIL PROTECTED]@** mfelten Thu Jan 1 01:00 still logged in rucker is neither a computer nor a user and mfelten is a user. Futhermore the machine doesn't have an uptime of two months - kernel updates forced the machine to be rebooted. cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 ** Thu Jan 1 01:00 gone - no logout These are quite strange entries and there is neither user or machine called cal. h******* ****h******* rucker:0 Thu Jan 1 01:00 gone - no logout rucker again?! root pts/1 192.168.1.253 Thu Feb 19 00:03 - 00:19 (00:16) root pts/1 192.168.1.253 Wed Feb 18 23:47 - 23:48 (00:00) root pts/1 alpha Wed Feb 18 14:54 - 14:54 (00:00) root pts/1 alpha Wed Feb 18 14:27 - 14:45 (00:18) That's ok. h******* <***h******@ h*******h******* Thu Jan 1 01:00 gone - no logout nt-55.lo [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 [EMAIL PROTECTED]@** Thu Jan 1 01:00 - 01:00 (00:00) cal:0 ** Thu Jan 1 01:00 - 01:00 (00:00) That's not. Let's go one. root pts/1 client-64.local Tue Feb 17 10:29 - 10:29 (00:00) fatmay client-50.lo Tue Feb 17 09:00 - 10:47 (01:46) swojmon client-51.lo Tue Feb 17 08:59 - 10:47 (01:47) h******* ****h******* h*******h******* Thu Jan 1 01:00 - 01:00 (00:00) root pts/1 192.168.1.253 Sun Feb 15 10:19 - 10:19 (00:00) root pts/1 192.168.1.253 Sat Feb 14 21:11 - 21:13 (00:02) h******* ****h******* FA Thu Jan 1 01:00 - 01:00 (00:00) root tty3 Fri Feb 13 11:51 still logged in root tty2 Fri Feb 13 11:51 still logged in mfelten client-51.lo Fri Feb 13 10:26 - 08:59 (3+22:33) svolbjo client-51.lo Fri Feb 13 09:59 - 10:26 (00:26) svolbjo client-51.lo Fri Feb 13 09:38 - 09:58 (00:20) davidm client-50.lo Fri Feb 13 09:37 - 09:00 (3+23:23) root pts/1 client-167.local Fri Feb 13 09:32 - 09:35 (00:03) and so on. So I renamed all relatedi files in order to start with a non-corrupt database. But what could have caused this corruption? The machine itself is quite stable - no kernel-panics or segfault of kernel or system related programs, libs, modules, etc has happened as far as I remember. Because of the load of the system lograte would have already put it out of the database - might logrotate be responsible? But because of being a valuable information on intruders, intruders or illegal root'ers might have compromised it. What's your opinion? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
