Discussion:
chkrootkit deletion(s)
(too old to reply)
Martin Knipper
2002-04-26 07:55:35 UTC
Permalink
Hi at all,

I was running chkrootkit (www.chkrootkit.org) two days ago and
everything seemed to be normal output. Except this:

[...]
Checking `wted'... 2 deletion(s) between Tue Apr 16 18:11:18 2002
and Thu Apr 18 21:43:32 2002
3 deletion(s) between Thu Apr 18 22:30:05 2002 and Mon Dec 23
09:09:48 1935
10 deletion(s) between Sat Apr 20 12:04:47 2002 and Tue Apr 23
17:10:35 2002
4 deletion(s) between Tue Apr 23 23:56:43 2002 and Wed Apr 24
23:54:18 2002
[...]

Is there something I need to worry about ?

regards ---Martin
--
To unsubscribe, e-mail: suse-security-***@suse.com
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Boris Lorenz
2002-04-26 12:24:14 UTC
Permalink
Yohei,
Post by Martin Knipper
Hi at all,
I was running chkrootkit (www.chkrootkit.org) two days ago and
[...]
Checking `wted'... 2 deletion(s) between Tue Apr 16 18:11:18 2002
and Thu Apr 18 21:43:32 2002
[...]

wted is a quite common tool in the cracker scene for clearing the
wtmp/utmp from specific user entries. Chkrootkit's assumption of 2
deleted lines in these files are based on certain traces wted leaves
behind. However, I've seen false positives for this with chkrootkit as
well, so it's best to do some more checks before ringing the alarm bell.
Also, make sure you use the latest version of chkrootkit.

Clearing of traces of intrusions by deleting suspicious entries from
various logfiles is called "sys phogging", "log phogging" or
"de-logging", a common technique used by attackers to hide their tracks.
There are countless tools out there for this purpose; wted is just one
of them.

wted also is part of many root kits (for ex. the well-known Linux
RootKit II/III).
Post by Martin Knipper
regards ---Martin
Boris Lorenz <***@lupa.de>
---
--
To unsubscribe, e-mail: suse-security-***@suse.com
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Loading...