chkrootkit / lastlog
 

I just run chkrootkit 0.45 and got this bit:

And actually 'lastlog' says that root "Never logged in". Googling for info
only yielded two results with no valuable data.

This is the only alarm showed by chkrootkit. All the rest seems normal,
and I haven't noticed any weird stuff lately either. OTOH, 'last' and
'who' show perfectly the last times I've used a root terminal.

Could this be a false alarm, or should I worry?

Thanks in advance.

Someone will correct me if I'm wrong, but I believe reflects only the times when you have logged in directly as root. Using su to get to root doesn't count.

So assuming you have never done so - congrats! You are a smart guy. And, no, I don't think you have anything to worry about.

I don't know for sure, but it's possible that you're right about 'lastlog'.

However, the previous times that I run 'chkrootkit' it never triggered this alarm. Why now, if I've never logged in as root (into its own X session, not using 'su')?

Thanks for the help.

I don't know the answer to that. Is it an older version of chkrootkit that you ran before?

Let me put it this way: If you have never logged in directly as root, then I see no problem here.

No, I had already tried version 0.45 two or three times before and that commend didn't appear. This is what makes me wonder why now and not before.

However, I just remember that during the previous session the system got stalled and became unresponsive because it was using all the RAM and swap (after some days of quite intensive use), and suddenly it killed the session and threw me into a login prompt. That was the last time I logged in, and the date coincides with the change/modification stats of /var/log/lastlog. Don't know, maybe this abnormal termination of the previous session had anything to do with what chkrootkit triggered...

Thanks again for your comments.