Greetings,... Am Samstag, 21. Februar 2004 17:11 schrieb s. keeling: > Incoming from Jan Lühr: > > Greetings, > > > > I discovered some strange output of the last command on our Woody > > Terminalserver (for X11). I have already posted it on debian-user-german, > > but I didn't get any answer. (I hope you don't mind, if I post it for the > > english speaking majority) > > Although I hope it is not security related, I thing, it may have a > > security related aspect, which I cannot ignore. > > > > At first a run ordinary chkrootkit scan (like I do it every one or two > > weeks). > > Two weeks? I run it every night.
Well, perhaps I should increase the frequency. > > This time, it discovered: > > > > Checking `wted'... 24 deletion(s) between Thu Jan 1 01:00:00 1970 and > > Sun Apr 7 02:03:36 1974 > > Have you checked the chkrootkit archives for anything like this? Honestly, I had a simular problem with another machine, posted it in may 2002 and didn't get an answer till know. > > 17 deletion(s) between Sun Jan 25 08:20:56 2004 and Sun Apr 7 02:03:36 > > 1974 > > Whaat?!? Between 2004 and 1974?!? That's my reaction, too. > > So I renamed all relatedi files in order to start with a non-corrupt > > database. But what could have caused this corruption? The machine itself > > is quite stable > > Sunspots? Maybe, but nothing else was wrong. > Disk errors? Refering to smartmontools, none. > Resource exhaustion? Maybe. This server use non-registered ram. (I know, I already fought my war against this machine, but the instiuttion I work is quite incooperativ) > Unless you can > definitively nail it down, I wouldn't start worrying until it happens > again. Of course - but the server has to keep running. For the next days. I'll reinstall 'em from scratch if it is a sec issue but I hope it is not - maybe there was just a power interrution which left a corrupt databse behind. A really don't know. > > But because of being a valuable information on intruders, intruders or > > illegal root'ers might have compromised it. > > > > What's your opinion? > > Can you send logging to another (perhaps dedicated) machine? Good idea, I have thought of that but it seem to be rather paranoid for me. Maybe it is time to realize it. Keep smiling yanosz
