chkrootkit / lastlog

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I just run chkrootkit 0.45 and got this bit:

"Checking `z2'... user root deleted or never logged from lastlog!"

And actually 'lastlog' says that root "Never logged in". Googling for info
only yielded two results with no valuable data.

This is the only alarm showed by chkrootkit. All the rest seems normal,
and I haven't noticed any weird stuff lately either. OTOH, 'last' and
'who' show perfectly the last times I've used a root terminal.

Could this be a false alarm, or should I worry?

Re: chkrootkit / lastlog

Quoted text here. Click to load it

The difference of lastlog is that it uses /var/log/lastlog and

Quoted text here. Click to load it

And who and last use /var/run/wtmp and /var/run/utmp

Maybe nothing is updating your lastlog or your logrotations are
affecting lastlog but not ?tmp files.

I'd start checking for datestamps on the files and see if the lastlog
was dated later than last root login stamps in the ?tmp files. Say, you
have a logged in on day 1 but never logged, on day 3 the rotations erase
 the lastlog and on day 5 you are looking what is going on..

I'd say you need to look more carefully to your system to determine if
its compromised or not because the state you have now could be due log

Re: chkrootkit / lastlog

On Thu, 13 Oct 2005 16:03:27 +0300, Jani Mikkonen wrote in message

Quoted text here. Click to load it

I think we're dealing with two different things here. One is a root login
into its own login session; I think these are the ones (root or non-root)
that get reflected in /var/log/lastlog, but I might be wrong. In that
case, I have never done a root login of that kind. The other type is
getting root terminals by means of 'su'; these get noted in the ?tmp
files, and of course I've done many of these. They appear as well when I
check those files through 'who' or 'last'. Are these the ones you're
referring to by "last root login stamps in the ?tmp files"? If by these
you mean root terminals through 'su': yes, lastlog is dated older. If you
mean root logins proper, I've never done any of them.

I had already checked /var/log/lastlog with 'stat', and the date of the
last change and modification coincides with the time that I did the last
(non-root) login into an X session. I remember now that the system got
stalled and became unresponsive because it was using all the RAM and swap
(after some days of quite intensive use) and suddenly it killed the
session and threw me into a login prompt. That was the last time I logged
in, and the date coincides with the change/modification stats of
/var/log/lastlog. Could this abnormal termination of the previous session
have anything to do with what chkrootkit triggered?

Quoted text here. Click to load it

That's what I'm trying to do. :)

Site Timeline