Re: output of last
Incoming from Jan Lühr:
> Greetings,
>
> I discovered some strange output of the last command on our Woody
> Terminalserver (for X11). I have already posted it on debian-user-german, but
> I didn't get any answer. (I hope you don't mind, if I post it for the english
> speaking majority)
> Although I hope it is not security related, I thing, it may have a security
> related aspect, which I cannot ignore.
>
> At first a run ordinary chkrootkit scan (like I do it every one or two weeks).
Two weeks? I run it every night.
> This time, it discovered:
>
> Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun Apr
> 7 02:03:36 1974
Have you checked the chkrootkit archives for anything like this?
> 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974
Whaat?!? Between 2004 and 1974?!?
> So I renamed all relatedi files in order to start with a non-corrupt database.
> But what could have caused this corruption? The machine itself is quite stable
Sunspots? Disk errors? Resource exhaustion? Unless you can
definitively nail it down, I wouldn't start worrying until it happens
again.
> But because of being a valuable information on intruders, intruders or illegal
> root'ers might have compromised it.
>
> What's your opinion?
Can you send logging to another (perhaps dedicated) machine?
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: