Re: output of last

To: debian-security@lists.debian.org
Subject: Re: output of last
From: Jan Lühr <jluehr@gmx.net>
Date: Sat, 21 Feb 2004 17:50:59 +0100
Message-id: <[🔎] 200402211750.59626.jluehr@gmx.net>
In-reply-to: <[🔎] 20040221161129.GD3893@infidel.spots.ab.ca>
References: <[🔎] 200402211036.13872.jluehr@gmx.net> <[🔎] 20040221161129.GD3893@infidel.spots.ab.ca>

Greetings,...

Am Samstag, 21. Februar 2004 17:11 schrieb s. keeling:
> Incoming from Jan Lühr:
> > Greetings,
> >
> > I discovered some strange output of the last command on our Woody
> > Terminalserver (for X11). I have already posted it on debian-user-german,
> > but I didn't get any answer. (I hope you don't mind, if I post it for the
> > english speaking majority)
> > Although I hope it is not security related, I thing, it may have a
> > security related aspect, which I cannot ignore.
> >
> > At first a run ordinary chkrootkit scan (like I do it every one or two
> > weeks).
>
> Two weeks?  I run it every night.

Well, perhaps I should increase the frequency.

> > This time, it discovered:
> >
> > Checking `wted'... 24 deletion(s) between Thu Jan  1 01:00:00 1970 and
> > Sun Apr 7 02:03:36 1974
>
> Have you checked the chkrootkit archives for anything like this?

Honestly, I had a simular problem with another machine, posted it in may 2002 
and didn't get an answer till know.

> > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr  7 02:03:36
> > 1974
>
> Whaat?!?  Between 2004 and 1974?!?

That's my reaction, too.

> > So I renamed all relatedi files in order to start with a non-corrupt
> > database. But what could have caused this corruption? The machine itself
> > is quite stable
>
> Sunspots? 

Maybe, but nothing else was wrong.

> Disk errors?  

Refering to smartmontools, none.

> Resource exhaustion?  

Maybe. This server use non-registered ram. (I know, I already fought my war 
against this machine, but the instiuttion I work is quite incooperativ)

> Unless you can
> definitively nail it down, I wouldn't start worrying until it happens
> again.

Of course - but the server has to keep running. For the next days.
I'll reinstall 'em from scratch if it is a sec issue but I hope it is not - 
maybe there was just a power interrution which left a corrupt databse behind. 
A really don't know.

> > But because of being a valuable information on intruders, intruders or
> > illegal root'ers might have compromised it.
> >
> > What's your opinion?
>
> Can you send logging to another (perhaps dedicated) machine?

Good idea, I have thought of that but it seem to be rather paranoid for me. 
Maybe it is time to realize it.

Keep smiling
yanosz

Reply to:

References:
- output of last
  - From: Jan Lühr <jluehr@gmx.net>
- Re: output of last
  - From: "s. keeling" <keeling@spots.ab.ca>

Prev by Date: Re: output of last
Next by Date: Re: DSA 438 - bad server time, bad kernel version or information delayed?
Previous by thread: Re: output of last
Next by thread: Hey debian-security@lists.debian.org
Index(es):
- Date
- Thread