Re: security: wted?

Thu, 13 Feb 2025 15:18:07 -0800 

On 2/13/25 3:11 PM, home user via users wrote:

On 2/13/25 2:40 PM, Jonathan Billings wrote:

On Feb 13, 2025, at 12:51, home user via users <users@lists.fedoraproject.org> 
wrote:

[snip]


What is "wted", and is there a security problem?


The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` 
(the executable is part of the package and might not be on your path)

What I think it’s doing is identifying time periods that appear to have been 
removed from the wtmp file, which is a binary log file that is updated every 
time you log in and out. The “last” command reads it, for example. A 
potentially compromised system might have the malicious login wiped from the 
file, although I’ve never seen that.

  This checker was written many years ago and I have no idea how accurate it is 
with modern tools and the current structure of that file. The chkrootkit code 
isn’t in any useful code repository so who knows what is going on there.

Hope that helps.


Thank-you Jonathan.

Is there a way of checking for outside connections during the time periods 
being reported?


"Something inside me" suggested I try the "last" command, even though what you said 
suggested wtmp might be corrupted.  I did so.  For some unknown reason, booting this workstation sometimes 
fails to result in a login screen; it just goes black.  I have to hit the tower's reset button.  It often 
takes 2 boots, occasionally 3, to get a login screen.  I've not been able to discern a pattern to this.  In 
the output to "last", I can see when those multiple boots happened.  The wted messages in the 
chkrootkit output all coincide with when it took 2 or 3 boots to get a login screen, though most multiple 
boots that did not correspond to wted messages in the chkrootkit output.  I'm now thinking the wted messages 
are not a security issue, but I'm not certain.

--
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to