Re: security: wted?
On 13 Feb 2025 at 20:39, home user via users wrote: Date sent: Thu, 13 Feb 2025 20:39:23 -0700 Subject:Re: security: wted? To: Community support for Fedora users Send reply to: Community support for Fedora users From: home user via users Copies to: home user > On 2/13/25 7:33 PM, Tim wrote: > > On Thu, 2025-02-13 at 10:50 -0700, home user via users wrote: > >> When I ran chkrootkit, I got the following (including a few lines of > >> context) regarding > > > > Is there a reason you feel the need to check for rootkits? > > > > I'm under the impression that if you don't install things from outside > > of the repos, and keep SELinux running, there's a so-close-to-zero > > chance of you having a problem that it's not worth worrying about. > > > > Unlike Windows, our mail clients don't automatically run executables > > that have been attached to emails, etc. You have to choose to run > > executables. > > > J> Maybe I'm remembering wrong, but I recall over a decade ago being advised on this list to use 2 tools to watch for malware on this workstation: chkrootkit and rkhunter. (I was also advised that those tools are not perfect.) Being not an IT professional, and trusting that those list members that do the helping are experienced professionals (though not perfect), I live by that advice and run both tools weekly. Also, don't these tools check for more than just rootkits? > https://chkrootkit.org/ Shows a slightly newer version. chkrootkit 0.58b is now available! (Release Date: Jul 05 2023) https://chkrootkit.org/download/ ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz Link is to ftp, but firefox doesn't seem to to that anymore so did ncftpget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz . then tar -xvf chkrootkit.tar.gz cd chkrootkit-0.58b/ The directory has files, but only the chkrootkit as an executible shell script. Running make create the files with todays date. 2531 Feb 24 2023 strings.c 1292 Feb 24 2023 README.chkwtmp 1323 Feb 24 2023 README.chklastlog 1637 Feb 24 2023 Makefile 5965 Feb 24 2023 chkutmp.c 10057 Feb 24 2023 chkproc.c 7376 Feb 24 2023 chkdirs.c 7195 Feb 24 2023 check_wtmpx.c 5210 Jun 23 2023 ACKNOWLEDGMENTS 1337 Jun 29 2023 COPYRIGHT 7833 Jun 29 2023 chklastlog.c 9011 Jun 29 2023 ifpromisc.c 15638 Jun 29 2023 README 2283 Jun 29 2023 chkwtmp.c 582 Jun 29 2023 chkrootkit.lsm 88420 Jul 6 2023 chkrootkit These created by make. 15104 Feb 14 15:51 chklastlog 15024 Feb 14 15:51 chkwtmp 15176 Feb 14 15:51 ifpromisc 15216 Feb 14 15:51 chkproc 15080 Feb 14 15:51 chkdirs 14832 Feb 14 15:51 check_wtmpx 748544 Feb 14 15:51 strings-static 15088 Feb 14 15:51 chkutmp Then run the ./chkrootkit to test it. The chkrootkit that the dnf installs is 0.57 is in/usr/lib64/chkrootkit-0.57 and has these files. 725888 Jan 23 2024 strings-static 14 Jan 23 2024 strings -> strings-static 16048 Jan 23 2024 ifpromisc 15824 Jan 23 2024 chkwtmp 15992 Jan 23 2024 chkutmp 87233 Jan 23 2024 chkrootkit 16032 Jan 23 2024 chkproc 15928 Jan 23 2024 chklastlog 16032 Jan 23 2024 chkdirs 15968 Jan 23 2024 check_wtmpx 0 Feb 14 04:20 1 So not clear who makes the rpm to install them in that way. Ran the 0.57 and the 0.58 and redirected output to files. Then compared, and differences were 22c22 < Checking `inetd'... not found --- > Checking `inetd'... not tested 119a120,121 > Searching for Tsunami DDoS Malware.. nothing found > Searching for Linux BPF Door.. nothing found 178,180c180,182 < ! root 905650 pts/0 /usr/bin/sh /usr/lib64/chkrootkit-0.57/chkrootkit < ! root 906780 pts/0 ./chkutmp < ! root 906781 pts/0 ps ax -o tty,pid,ruser,args --- > ! root 906789 pts/0 /bin/sh ./chkrootkit > ! root 907932 pts/0 ./chkutmp > ! root 907933 pts/0 ps ax -o tty,pid,ruser,args So looks like 0.58 has some added things. rkhunter seems to have the same version as sourceforge site. > By the way, I notice that rkhunter was last patched on my workstation in June of 2022. But its webpage show its last update to be March of 2024. Our repository almost a year behind on this? > > -- > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ++ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net
Re: security: wted?
On 2/13/25 7:39 PM, home user via users wrote: On 2/13/25 7:33 PM, Tim wrote: On Thu, 2025-02-13 at 10:50 -0700, home user via users wrote: When I ran chkrootkit, I got the following (including a few lines of context) regarding Is there a reason you feel the need to check for rootkits? I'm under the impression that if you don't install things from outside of the repos, and keep SELinux running, there's a so-close-to-zero chance of you having a problem that it's not worth worrying about. Unlike Windows, our mail clients don't automatically run executables that have been attached to emails, etc. You have to choose to run executables. Maybe I'm remembering wrong, but I recall over a decade ago being advised on this list to use 2 tools to watch for malware on this workstation: chkrootkit and rkhunter. (I was also advised that those tools are not perfect.) Being not an IT professional, and trusting that those list members that do the helping are experienced professionals (though not perfect), I live by that advice and run both tools weekly. Also, don't these tools check for more than just rootkits? That was a very long time ago and even if it was valid advice then, it isn't now. By the way, I notice that rkhunter was last patched on my workstation in June of 2022. But its webpage show its last update to be March of 2024. Our repository almost a year behind on this? rkhunter hasn't had a new release since 2018. I don't know where you're seeing something from 2024. chkrootkit has a release in 2023, but that's a beta. They're still providing downloads over ftp! Those tools are not going to provide any useful help. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: thunderbird problem
Has been happening to me for a couple of years - multiple IMAP google accounts. Mostly, it happens when I delete a bunch of stuff from the Archives folders. Thunderbird would freeze. Using Wayland, after Thunderbird crashes, Wayland UI was frozen and I had to reboot. So, went back to X (xfce4); Thunderbird crashing does not kill X. Recently, if I leave Thunderbird alone, it eventually comes back. RME -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: thunderbird problem
On 2/13/2025 1:49 AM, fed...@eyal.emu.id.au wrote: It is me, the OP. To simplify the story. - start TB. OK - fetch POP3 mail. A few times in a few hours. All OK. - do a "Compact Folders". messages say it completed. The blue activity line remains wavy(*). TB is idle yet it shows 60-70% CPU in "top". If I minimize TB then it stops using CPU. If I select a folder (but do nothing) the %CPU goes up to around 120%. Turning off the status bar also stops using CPU! This last item probably points at the source of the problem! TIA (*) the item at the right side of the bottom status line shows a rolling blue/white pattern, as if it is active. Yeah- similar issues seem to be a persistent theme reported for TBird over several years now. Search the TBird bugzilla and you'll see it popping up again and again. I reported pretty much the same thing 2..3 years back- my guess was a tight display-update loop that continuously called the display-manager (X11 at that time) for an unchanged status. ron -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: thunderbird problem
On Thu, 2025-02-13 at 18:49 +1100, fed...@eyal.emu.id.au wrote: > It is me, the OP. To simplify the story. > - start TB. OK > - fetch POP3 mail. A few times in a few hours. All OK. > - do a "Compact Folders". > messages say it completed. The blue activity line remains wavy(*). > TB is idle yet it shows 60-70% CPU in "top". > If I minimize TB then it stops using CPU. > If I select a folder (but do nothing) the %CPU goes up to around 120%. > Turning off the status bar also stops using CPU! > > This last item probably points at the source of the problem! Ha! Typical, it spends more time fiddling with the display than doing the job. When I used Thunderbird, long ago, it took an absolute age re-indexing folders. Folders that had their contents changed since the last time Thunderbird looked into them, because the IMAP server was accessed by more than one mail client, and it had to fiddle around with its local mbox cache files. I never thought of turning off a status indicator (and wouldn't want to, either). But out of curiosity, what method is your Thunderbird using to store messages locally? And is it less burdened on a folder with very few messages in it? -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: thunderbird problem
On 13/2/25 20:38, Tim wrote: On Thu, 2025-02-13 at 18:49 +1100, fed...@eyal.emu.id.au wrote: It is me, the OP. To simplify the story. - start TB. OK - fetch POP3 mail. A few times in a few hours. All OK. - do a "Compact Folders". messages say it completed. The blue activity line remains wavy(*). TB is idle yet it shows 60-70% CPU in "top". If I minimize TB then it stops using CPU. If I select a folder (but do nothing) the %CPU goes up to around 120%. Turning off the status bar also stops using CPU! This last item probably points at the source of the problem! Ha! Typical, it spends more time fiddling with the display than doing the job. When I used Thunderbird, long ago, it took an absolute age re-indexing folders. Folders that had their contents changed since the last time Thunderbird looked into them, because the IMAP server was accessed by more than one mail client, and it had to fiddle around with its local mbox cache files. I never thought of turning off a status indicator (and wouldn't want to, either). But out of curiosity, what method is your Thunderbird I would also prefer to have the status line visible. using to store messages locally? And is it less burdened on a folder with very few messages in it? I fetch mail using POP3, so everything is local. I use message filters into many dozens of folders. Opening a folder is quick enough to not notice. Marking junk messages takes a few seconds after all mail arrives. -- Eyal at Home (fed...@eyal.emu.id.au) -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/13/25 1:00 PM, Dave Close wrote: home user via users wrote: (f40; gnome; last patched minutes ago) When I ran chkrootkit, I got the following (including a few lines of context) regarding "wted": - - - - - - [snip] Checking `w55808'... not infected Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan 28 07:36:08 2025 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 Checking `scalper'... not infected [snip] bash.5[~]: - - - - - - I got the same thing both before and after "dnf upgrade". rkhunter made no me ntion of "wted". I tried to find what "wted" is: - - - - - - bash.5[~]: which wted /usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local /bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) bash.6[~]: whereis wted wted: bash.7[~]: man wted No manual entry for wted bash.8[~]: dnf info wted Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST . Error: No matching Packages to list bash.9[~]: - - - - - - duck-duck-go and google gave me nothing useful. What is "wted", and is there a security problem? You didn't try but I did: # dnf provides */wted No matches found. Sorry, no answer to your real question. Thank-you, Dave. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
> On 13 Feb 2025, at 17:51, home user via users > wrote: > > When I ran chkrootkit I cannot find evidence of this tool being maintained. But I did find people saying its reports contain false positives. Barry -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/13/25 3:11 PM, home user via users wrote: On 2/13/25 2:40 PM, Jonathan Billings wrote: On Feb 13, 2025, at 12:51, home user via users wrote: [snip] What is "wted", and is there a security problem? The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path) What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that. This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there. Hope that helps. Thank-you Jonathan. Is there a way of checking for outside connections during the time periods being reported? "Something inside me" suggested I try the "last" command, even though what you said suggested wtmp might be corrupted. I did so. For some unknown reason, booting this workstation sometimes fails to result in a login screen; it just goes black. I have to hit the tower's reset button. It often takes 2 boots, occasionally 3, to get a login screen. I've not been able to discern a pattern to this. In the output to "last", I can see when those multiple boots happened. The wted messages in the chkrootkit output all coincide with when it took 2 or 3 boots to get a login screen, though most multiple boots that did not correspond to wted messages in the chkrootkit output. I'm now thinking the wted messages are not a security issue, but I'm not certain. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/13/25 2:40 PM, Jonathan Billings wrote: On Feb 13, 2025, at 12:51, home user via users wrote: (f40; gnome; last patched minutes ago) When I ran chkrootkit, I got the following (including a few lines of context) regarding "wted": - - - - - - [snip] Checking `w55808'... not infected Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan 28 07:36:08 2025 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 Checking `scalper'... not infected [snip] bash.5[~]: - - - - - - I got the same thing both before and after "dnf upgrade". rkhunter made no mention of "wted". I tried to find what "wted" is: - - - - - - bash.5[~]: which wted /usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) bash.6[~]: whereis wted wted: bash.7[~]: man wted No manual entry for wted bash.8[~]: dnf info wted Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST. Error: No matching Packages to list bash.9[~]: - - - - - - duck-duck-go and google gave me nothing useful. What is "wted", and is there a security problem? The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path) What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that. This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there. Hope that helps. Thank-you Jonathan. Is there a way of checking for outside connections during the time periods being reported? -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/13/25 1:15 PM, Barry wrote: On 13 Feb 2025, at 17:51, home user via users wrote: When I ran chkrootkit I cannot find evidence of this tool being maintained. But I did find people saying its reports contain false positives. Barry Thank-you, Barry. I "patch" weekly. dnf says this tool was last patched on my workstation on Dec. 12, 2023. dnf says I have version 0,47, It's in the @System repository, from fedora repo. The tool's webpage says there is a 0.58b, released on July 05, 2023. So our repository does seem behind, and it does seem the tool is being maintained slowly if still at all. This morning on the web, I did see that chkrootkit is prone to false positives. I've seen that with the tool's check of "lkm". -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On Feb 13, 2025, at 12:51, home user via users wrote: > > (f40; gnome; last patched minutes ago) > > When I ran chkrootkit, I got the following (including a few lines of context) > regarding "wted": > - - - - - - > [snip] > Checking `w55808'... not infected > Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan > 28 07:36:08 2025 > 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 > 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 > 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 > Checking `scalper'... not infected > [snip] > bash.5[~]: > - - - - - - > I got the same thing both before and after "dnf upgrade". rkhunter made no > mention of "wted". > > I tried to find what "wted" is: > - - - - - - > bash.5[~]: which wted > /usr/bin/which: no wted in > (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) > bash.6[~]: whereis wted > wted: > bash.7[~]: man wted > No manual entry for wted > bash.8[~]: dnf info wted > Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM > MST. > Error: No matching Packages to list > bash.9[~]: > - - - - - - > duck-duck-go and google gave me nothing useful. > > What is "wted", and is there a security problem? The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path) What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that. This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there. Hope that helps. -- Jonathan Billings -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
home user via users wrote: >(f40; gnome; last patched minutes ago) > >When I ran chkrootkit, I got the following (including a few lines of context) >regarding "wted": >- - - - - - >[snip] >Checking `w55808'... not infected >Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan >28 07:36:08 2025 >1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 >1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 >1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 >Checking `scalper'... not infected >[snip] >bash.5[~]: >- - - - - - >I got the same thing both before and after "dnf upgrade". rkhunter made no me >ntion of "wted". > >I tried to find what "wted" is: >- - - - - - >bash.5[~]: which wted >/usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local >/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) >bash.6[~]: whereis wted >wted: >bash.7[~]: man wted >No manual entry for wted >bash.8[~]: dnf info wted >Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST >. >Error: No matching Packages to list >bash.9[~]: >- - - - - - >duck-duck-go and google gave me nothing useful. > >What is "wted", and is there a security problem? You didn't try but I did: # dnf provides */wted No matches found. Sorry, no answer to your real question. -- Dave Close, Compata, Irvine CA +1 714 434 7359 d...@compata.com dhcl...@alumni.caltech.edu "Technology has the shelf life of a banana." - Scott McNealy -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
security: wted?
(f40; gnome; last patched minutes ago) When I ran chkrootkit, I got the following (including a few lines of context) regarding "wted": - - - - - - [snip] Checking `w55808'... not infected Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan 28 07:36:08 2025 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 Checking `scalper'... not infected [snip] bash.5[~]: - - - - - - I got the same thing both before and after "dnf upgrade". rkhunter made no mention of "wted". I tried to find what "wted" is: - - - - - - bash.5[~]: which wted /usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) bash.6[~]: whereis wted wted: bash.7[~]: man wted No manual entry for wted bash.8[~]: dnf info wted Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST. Error: No matching Packages to list bash.9[~]: - - - - - - duck-duck-go and google gave me nothing useful. What is "wted", and is there a security problem? -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On 2/13/25 7:33 PM, Tim wrote: On Thu, 2025-02-13 at 10:50 -0700, home user via users wrote: When I ran chkrootkit, I got the following (including a few lines of context) regarding Is there a reason you feel the need to check for rootkits? I'm under the impression that if you don't install things from outside of the repos, and keep SELinux running, there's a so-close-to-zero chance of you having a problem that it's not worth worrying about. Unlike Windows, our mail clients don't automatically run executables that have been attached to emails, etc. You have to choose to run executables. Maybe I'm remembering wrong, but I recall over a decade ago being advised on this list to use 2 tools to watch for malware on this workstation: chkrootkit and rkhunter. (I was also advised that those tools are not perfect.) Being not an IT professional, and trusting that those list members that do the helping are experienced professionals (though not perfect), I live by that advice and run both tools weekly. Also, don't these tools check for more than just rootkits? By the way, I notice that rkhunter was last patched on my workstation in June of 2022. But its webpage show its last update to be March of 2024. Our repository almost a year behind on this? -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: security: wted?
On Thu, 2025-02-13 at 10:50 -0700, home user via users wrote: > When I ran chkrootkit, I got the following (including a few lines of > context) regarding Is there a reason you feel the need to check for rootkits? I'm under the impression that if you don't install things from outside of the repos, and keep SELinux running, there's a so-close-to-zero chance of you having a problem that it's not worth worrying about. Unlike Windows, our mail clients don't automatically run executables that have been attached to emails, etc. You have to choose to run executables. -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
