Incoming from Jan Lühr: > Greetings, > > I discovered some strange output of the last command on our Woody > Terminalserver (for X11). I have already posted it on debian-user-german, but > I didn't get any answer. (I hope you don't mind, if I post it for the english > speaking majority) > Although I hope it is not security related, I thing, it may have a security > related aspect, which I cannot ignore. > > At first a run ordinary chkrootkit scan (like I do it every one or two weeks).
Two weeks? I run it every night. > This time, it discovered: > > Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun Apr > 7 02:03:36 1974 Have you checked the chkrootkit archives for anything like this? > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974 Whaat?!? Between 2004 and 1974?!? > So I renamed all relatedi files in order to start with a non-corrupt database. > But what could have caused this corruption? The machine itself is quite stable Sunspots? Disk errors? Resource exhaustion? Unless you can definitively nail it down, I wouldn't start worrying until it happens again. > But because of being a valuable information on intruders, intruders or illegal > root'ers might have compromised it. > > What's your opinion? Can you send logging to another (perhaps dedicated) machine? -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
