LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-12-2005, 05:57 PM   #1
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Rep: Reputation: 15
chkrootkit / lastlog


I just run chkrootkit 0.45 and got this bit:

Code:
Checking `z2'... user root deleted or never logged from lastlog!
And actually 'lastlog' says that root "Never logged in". Googling for info
only yielded two results with no valuable data.

This is the only alarm showed by chkrootkit. All the rest seems normal,
and I haven't noticed any weird stuff lately either. OTOH, 'last' and
'who' show perfectly the last times I've used a root terminal.

Could this be a false alarm, or should I worry?

Thanks in advance.
 
Old 10-12-2005, 06:10 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Someone will correct me if I'm wrong, but I believe
Code:
lastlog
reflects only the times when you have logged in directly as root. Using su to get to root doesn't count.

So assuming you have never done so - congrats! You are a smart guy. And, no, I don't think you have anything to worry about.
 
Old 10-13-2005, 06:54 AM   #3
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Original Poster
Rep: Reputation: 15
I don't know for sure, but it's possible that you're right about 'lastlog'.

However, the previous times that I run 'chkrootkit' it never triggered this alarm. Why now, if I've never logged in as root (into its own X session, not using 'su')?

Thanks for the help.
 
Old 10-13-2005, 09:46 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I don't know the answer to that. Is it an older version of chkrootkit that you ran before?

Let me put it this way: If you have never logged in directly as root, then I see no problem here.
 
Old 10-13-2005, 10:50 AM   #5
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Is it an older version of chkrootkit that you ran before?
No, I had already tried version 0.45 two or three times before and that commend didn't appear. This is what makes me wonder why now and not before.

However, I just remember that during the previous session the system got stalled and became unresponsive because it was using all the RAM and swap (after some days of quite intensive use), and suddenly it killed the session and threw me into a login prompt. That was the last time I logged in, and the date coincides with the change/modification stats of /var/log/lastlog. Don't know, maybe this abnormal termination of the previous session had anything to do with what chkrootkit triggered...

Thanks again for your comments.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
lastlog - What is it, and how do I rotate it? ifm Linux - Newbie 9 04-22-2011 09:45 AM
lastlog root entry Mr. Gone Linux - Security 2 11-11-2004 03:07 PM
lastlog is bloody EEUUGE ... heh. ifm Linux - Newbie 3 12-05-2002 01:41 PM
another lastlog question ericn Linux - Security 1 12-30-2001 01:34 PM
lastlog command iquadri1 Linux - Networking 0 09-29-2001 01:14 PM


All times are GMT -5. The time now is 06:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration