output of last
Greetings,
I discovered some strange output of the last command on our Woody
Terminalserver (for X11). I have already posted it on debian-user-german, but
I didn't get any answer. (I hope you don't mind, if I post it for the english
speaking majority)
Although I hope it is not security related, I thing, it may have a security
related aspect, which I cannot ignore.
At first a run ordinary chkrootkit scan (like I do it every one or two weeks).
This time, it discovered:
Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and Sun Apr
7 02:03:36 1974
3 deletion(s) between Sun Apr 7 02:03:36 1974 and Tue Feb 3 09:08:53 2004
35 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 4 09:38:39 2004
13 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 4 23:41:11 2004
101 deletion(s) between Thu Feb 5 00:02:52 2004 and Wed Mar 25 18:24:58 1970
1 deletion(s) between Wed Mar 25 18:24:58 1970 and Wed Mar 25 18:24:58 1970
8 deletion(s) between Sun Apr 7 02:03:36 1974 and Mon Feb 9 09:01:04 2004
8 deletion(s) between Sun Jan 25 08:20:56 2004 and Tue Feb 10 10:56:08 2004
8 deletion(s) between Tue Feb 10 10:57:03 2004 and Tue Feb 10 12:09:25 2004
1 deletion(s) between Sun Jan 25 08:20:56 2004 and Tue Feb 10 13:40:32 2004
17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 1974
31 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 13 09:32:27 2004
2 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 13 11:51:10 2004
2 deletion(s) between Fri Feb 13 11:51:41 2004 and Sat Feb 14 21:11:51 2004
14 deletion(s) between Sun Feb 15 10:19:39 2004 and Sun Apr 7 02:03:36 1974
47 deletion(s) between Sun Jan 25 08:20:56 2004 and Wed Feb 18 14:27:08 2004
19 deletion(s) between Thu Feb 19 00:19:47 2004 and Fri Feb 20 09:28:55 2004
20 deletion(s) between Sun Jan 25 08:20:56 2004 and Fri Feb 20 14:09:22 2004
sadly (or luckily ;) no other routing found anything else.
This output is quite strage. While nearly all entries are releated to 2004
others went back to 1974 or even 1970.
So I suspected a corrupt database and the output of last seem to endorse my
suspecion.
root pts/2 192.168.1.253 Fri Feb 20 14:13 still logged in
root pts/1 192.168.1.253 Fri Feb 20 14:10 still logged in
root pts/1 192.168.1.253 Fri Feb 20 14:09 - 14:09 (00:00)
Ok, that's correct
rucker:0 ***@H^*@** mfelten Thu Jan 1 01:00 still logged in
rucker is neither a computer nor a user and mfelten is a user. Futhermore the
machine doesn't have an uptime of two months - kernel updates forced the
machine to be rebooted.
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ** Thu Jan 1 01:00 gone - no logout
These are quite strange entries and there is neither user or machine called
cal.
h******* ****h******* rucker:0 Thu Jan 1 01:00 gone - no logout
rucker again?!
root pts/1 192.168.1.253 Thu Feb 19 00:03 - 00:19 (00:16)
root pts/1 192.168.1.253 Wed Feb 18 23:47 - 23:48 (00:00)
root pts/1 alpha Wed Feb 18 14:54 - 14:54 (00:00)
root pts/1 alpha Wed Feb 18 14:27 - 14:45 (00:18)
That's ok.
h******* <***h******@ h*******h******* Thu Jan 1 01:00 gone - no logout
nt-55.lo ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ***@H^*@** Thu Jan 1 01:00 - 01:00 (00:00)
cal:0 ** Thu Jan 1 01:00 - 01:00 (00:00)
That's not.
Let's go one.
root pts/1 client-64.local Tue Feb 17 10:29 - 10:29 (00:00)
fatmay client-50.lo Tue Feb 17 09:00 - 10:47 (01:46)
swojmon client-51.lo Tue Feb 17 08:59 - 10:47 (01:47)
h******* ****h******* h*******h******* Thu Jan 1 01:00 - 01:00 (00:00)
root pts/1 192.168.1.253 Sun Feb 15 10:19 - 10:19 (00:00)
root pts/1 192.168.1.253 Sat Feb 14 21:11 - 21:13 (00:02)
h******* ****h******* FA Thu Jan 1 01:00 - 01:00 (00:00)
root tty3 Fri Feb 13 11:51 still logged in
root tty2 Fri Feb 13 11:51 still logged in
mfelten client-51.lo Fri Feb 13 10:26 - 08:59 (3+22:33)
svolbjo client-51.lo Fri Feb 13 09:59 - 10:26 (00:26)
svolbjo client-51.lo Fri Feb 13 09:38 - 09:58 (00:20)
davidm client-50.lo Fri Feb 13 09:37 - 09:00 (3+23:23)
root pts/1 client-167.local Fri Feb 13 09:32 - 09:35 (00:03)
and so on.
So I renamed all relatedi files in order to start with a non-corrupt database.
But what could have caused this corruption? The machine itself is quite stable
- no kernel-panics or segfault of kernel or system related programs, libs,
modules, etc has happened as far as I remember. Because of the load of the
system lograte would have already put it out of the database - might
logrotate be responsible?
But because of being a valuable information on intruders, intruders or illegal
root'ers might have compromised it.
What's your opinion?
Keep smiling
yanosz
Reply to: