LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-28-2006, 11:16 AM   #1
newtommy
Member
 
Registered: Feb 2005
Location: Baltimore, Maryland
Distribution: SuSE 9.2 Professional
Posts: 38

Rep: Reputation: 15
Chkrootkit turned up problem with chkutmp


Hi,

I ran chkrootkit today and got an unusual output - I am concerned but not familiar enough with this to know if I have a problem. If someone could please help me understand this output I would be grateful:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 15188 tty7 /usr/X11R6/bin/X -br -nolisten tcp :0 vt7
chkutmp: nothing deleted

Thanks so very much
Tommy
 
Old 10-28-2006, 12:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I ran chkrootkit today
Which version?


Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp
The process is attached to a tty but no audit record was found in /var/run/utmp. Normal behaviour for processes that wait for a login to occur. If you want to run some checks run "w" (shows there's nobody at that tty), compare output of "readlink -f /proc/15188" with "readlink -f /usr/X11R6/bin/X" (process uses same binary) and "rpm -Vv --noscripts XFree86" (should not show MD5 problems).
 
Old 10-28-2006, 02:36 PM   #3
newtommy
Member
 
Registered: Feb 2005
Location: Baltimore, Maryland
Distribution: SuSE 9.2 Professional
Posts: 38

Original Poster
Rep: Reputation: 15
Hi -- Thanks responding

I'm using version 0.45

w --> shows only me.
When I run readlink -f /usr/X11R6/bin/X and readlink -f /proc/15188 I do get to different results, plus if I kill process 15188 it returns as another process which as also complained about by chkrootkit.

readlink -f /proc/15188 returns: /proc/15188
readlink -f /usr/X11R6/bin/X returns: /usr/X11R6/bin/Xorg

rpm -Vv --noscripts XFree86
rpm: script disabling options may only be specified during package installation and erasure
 
Old 10-28-2006, 11:20 PM   #4
newtommy
Member
 
Registered: Feb 2005
Location: Baltimore, Maryland
Distribution: SuSE 9.2 Professional
Posts: 38

Original Poster
Rep: Reputation: 15
Rkhunter hangs while testing running processes

One more follow up -

I ran rkhunter 1.2.8 and it hangs while "testing running processes"
 
Old 10-29-2006, 05:32 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
When I run readlink -f /usr/X11R6/bin/X and readlink -f /proc/15188 I do get to different results
Sorry. Should be "readlink -f /proc/15188/exe", else you don't have the link to the binary.


plus if I kill process 15188 it returns as another process which as also complained about by chkrootkit.
Nobody asked you to kill stuff. This is kind of theoretical since the chance chkutmp's tty warnings alone pointing to a compromise can be considered almost nonexistant, but killing stuff is a good way to loose data in case something suspicious happened and a good way to attract attention.


rpm -Vv --noscripts XFree86
rpm: script disabling options may only be specified during package installation and erasure

Well, if the "--noscripts" switch doesn't make rpm run, then run it without the switch.


I ran rkhunter 1.2.8
RKH is at 1.2.9 older versions are *not* supported.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit EchoWarrior Linux - Newbie 2 04-20-2006 04:45 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 07:07 PM
Chkrootkit "make sense" problem jmr0311 Linux - Security 1 08-26-2004 04:12 AM
OS problem turned out - hardware tarael LinuxQuestions.org Member Success Stories 2 07-29-2004 04:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration