chkrootkit warning - anything to be worried about?
 

Hi,

I've just installed chkrootkit and I'm not sure how to intepret the following (I've removed the rest as it looked fine):

Note: I've masked out the two users in question along with the hostname.

I connect to the above SFTP server using Gigolo in Xfce. When I "Disconnect" the share, the above message goes away. I don't understand why it is there when I connect to the host however.

Is this something to be concered about?

The process is attached to a tty but no audit record was found in /var/run/utmp. Normal behaviour for processes that wait for a login to occur. Also note the chance of having only chkutmp tty warnings point to a compromise may be considered almost nonexistent.

Thanks for your reply.

I also have this message:

net0: PF_PACKET(/var/tmp/portage/net-misc/dhcp-4.2.5_p1/image/sbin/dhclient (deleted))

Do you know what it means?

I'm having trouble finding documentation on how to interpret chkrootkit results...

See http://www.linuxquestions.org/questi...8/#post4535586 ?

Hmm, that seems similar but my message states that the file is deleted. Does that have any significance?

Ask yourself what the /var/tmp/portage directory is used for.

It is used for unpacking source code as an area to compile whatever you are emerging. I do expect it to be cleared out from time to time but what I don't know is why chkrootkit is referring to deleted files.

Clearly there's a difference between expecting something and something actually happening ;-p A process may be started, remaining running in memory, and then have its files removed, is the answer.