LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-15-2013, 10:07 AM   #1
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Rep: Reputation: 15
chkrootkit warning - anything to be worried about?


Hi,

I've just installed chkrootkit and I'm not sure how to intepret the following (I've removed the rest as it looked fine):

Code:
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! <user>       1**** pts/0  /usr/bin/ssh -oForwardX11 no -oForwardAgent no -oClearAllForwardings yes -oProtocol 2 -oNoHostAuthenticationForLocalhost yes -l <another_user> -s <hostname> sftp
Note: I've masked out the two users in question along with the hostname.

I connect to the above SFTP server using Gigolo in Xfce. When I "Disconnect" the share, the above message goes away. I don't understand why it is there when I connect to the host however.

Is this something to be concered about?
 
Old 04-15-2013, 12:27 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
The process is attached to a tty but no audit record was found in /var/run/utmp. Normal behaviour for processes that wait for a login to occur. Also note the chance of having only chkutmp tty warnings point to a compromise may be considered almost nonexistent.
 
Old 04-16-2013, 05:25 AM   #3
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Thanks for your reply.

I also have this message:

net0: PF_PACKET(/var/tmp/portage/net-misc/dhcp-4.2.5_p1/image/sbin/dhclient (deleted))

Do you know what it means?

I'm having trouble finding documentation on how to interpret chkrootkit results...

Last edited by eponymous; 04-16-2013 at 08:48 AM.
 
Old 04-16-2013, 01:24 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Quote:
Originally Posted by eponymous View Post
net0: PF_PACKET(/var/tmp/portage/net-misc/dhcp-4.2.5_p1/image/sbin/dhclient (deleted))
Do you know what it means?
See http://www.linuxquestions.org/questi...8/#post4535586 ?
 
Old 04-17-2013, 09:44 AM   #5
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Hmm, that seems similar but my message states that the file is deleted. Does that have any significance?
 
Old 04-18-2013, 01:27 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Ask yourself what the /var/tmp/portage directory is used for.
 
Old 04-18-2013, 07:21 AM   #7
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
It is used for unpacking source code as an area to compile whatever you are emerging. I do expect it to be cleared out from time to time but what I don't know is why chkrootkit is referring to deleted files.
 
Old 04-20-2013, 04:00 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Quote:
Originally Posted by eponymous View Post
It is used for unpacking source code as an area to compile whatever you are emerging. I do expect it to be cleared out from time to time but what I don't know is why chkrootkit is referring to deleted files.
Clearly there's a difference between expecting something and something actually happening ;-p A process may be started, remaining running in memory, and then have its files removed, is the answer.
 
  


Reply

Tags
chkrootkit, gvfs, sftp, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit warning qwertyjjj Linux - Server 16 01-10-2010 12:15 PM
chkrootkit warning qwertyjjj Linux - Newbie 1 09-20-2009 09:51 AM
chkrootkit warning appears two days in a row kaplan71 Linux - Software 7 03-28-2008 02:41 AM
chkrootkit warning of lkm trojan provkitir Linux - Security 5 10-20-2004 06:17 AM
Should I be worried - apache - admin - warning machiner Linux - Software 3 09-20-2004 02:32 PM


All times are GMT -5. The time now is 08:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration