Re: output of last
Greetings,...
Am Samstag, 21. Februar 2004 17:11 schrieb s. keeling:
> Incoming from Jan Lühr:
> > Greetings,
> >
> > I discovered some strange output of the last command on our Woody
> > Terminalserver (for X11). I have already posted it on debian-user-german,
> > but I didn't get any answer. (I hope you don't mind, if I post it for the
> > english speaking majority)
> > Although I hope it is not security related, I thing, it may have a
> > security related aspect, which I cannot ignore.
> >
> > At first a run ordinary chkrootkit scan (like I do it every one or two
> > weeks).
>
> Two weeks? I run it every night.
Well, perhaps I should increase the frequency.
> > This time, it discovered:
> >
> > Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and
> > Sun Apr 7 02:03:36 1974
>
> Have you checked the chkrootkit archives for anything like this?
Honestly, I had a simular problem with another machine, posted it in may 2002
and didn't get an answer till know.
> > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36
> > 1974
>
> Whaat?!? Between 2004 and 1974?!?
That's my reaction, too.
> > So I renamed all relatedi files in order to start with a non-corrupt
> > database. But what could have caused this corruption? The machine itself
> > is quite stable
>
> Sunspots?
Maybe, but nothing else was wrong.
> Disk errors?
Refering to smartmontools, none.
> Resource exhaustion?
Maybe. This server use non-registered ram. (I know, I already fought my war
against this machine, but the instiuttion I work is quite incooperativ)
> Unless you can
> definitively nail it down, I wouldn't start worrying until it happens
> again.
Of course - but the server has to keep running. For the next days.
I'll reinstall 'em from scratch if it is a sec issue but I hope it is not -
maybe there was just a power interrution which left a corrupt databse behind.
A really don't know.
> > But because of being a valuable information on intruders, intruders or
> > illegal root'ers might have compromised it.
> >
> > What's your opinion?
>
> Can you send logging to another (perhaps dedicated) machine?
Good idea, I have thought of that but it seem to be rather paranoid for me.
Maybe it is time to realize it.
Keep smiling
yanosz
Reply to: