Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- chkrootkit / lastlog
October 12, 2005, 8:14 pm
rate this thread
"Checking `z2'... user root deleted or never logged from lastlog!"
And actually 'lastlog' says that root "Never logged in". Googling for info
only yielded two results with no valuable data.
This is the only alarm showed by chkrootkit. All the rest seems normal,
and I haven't noticed any weird stuff lately either. OTOH, 'last' and
'who' show perfectly the last times I've used a root terminal.
Could this be a false alarm, or should I worry?
Re: chkrootkit / lastlog
The difference of lastlog is that it uses /var/log/lastlog and
And who and last use /var/run/wtmp and /var/run/utmp
Maybe nothing is updating your lastlog or your logrotations are
affecting lastlog but not ?tmp files.
I'd start checking for datestamps on the files and see if the lastlog
was dated later than last root login stamps in the ?tmp files. Say, you
have a logged in on day 1 but never logged, on day 3 the rotations erase
the lastlog and on day 5 you are looking what is going on..
I'd say you need to look more carefully to your system to determine if
its compromised or not because the state you have now could be due log
Re: chkrootkit / lastlog
I think we're dealing with two different things here. One is a root login
into its own login session; I think these are the ones (root or non-root)
that get reflected in /var/log/lastlog, but I might be wrong. In that
case, I have never done a root login of that kind. The other type is
getting root terminals by means of 'su'; these get noted in the ?tmp
files, and of course I've done many of these. They appear as well when I
check those files through 'who' or 'last'. Are these the ones you're
referring to by "last root login stamps in the ?tmp files"? If by these
you mean root terminals through 'su': yes, lastlog is dated older. If you
mean root logins proper, I've never done any of them.
I had already checked /var/log/lastlog with 'stat', and the date of the
last change and modification coincides with the time that I did the last
(non-root) login into an X session. I remember now that the system got
stalled and became unresponsive because it was using all the RAM and swap
(after some days of quite intensive use) and suddenly it killed the
session and threw me into a login prompt. That was the last time I logged
in, and the date coincides with the change/modification stats of
/var/log/lastlog. Could this abnormal termination of the previous session
have anything to do with what chkrootkit triggered?
That's what I'm trying to do. :)
- » fup2: Re: IPTables mit zwei externen =?UTF-8?B?SVDFvXM=?=
- — Next thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security