On Feb 13, 2025, at 12:51, home user via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > (f40; gnome; last patched minutes ago) > > When I ran chkrootkit, I got the following (including a few lines of context) regarding "wted": > - - - - - - > [snip] > Checking `w55808'... not infected > Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan 28 07:36:08 2025 > 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 > 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 > 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 > Checking `scalper'... not infected > [snip] > bash.5[~]: > - - - - - - > I got the same thing both before and after "dnf upgrade". rkhunter made no mention of "wted". > > I tried to find what "wted" is: > - - - - - - > bash.5[~]: which wted > /usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) > bash.6[~]: whereis wted > wted: > bash.7[~]: man wted > No manual entry for wted > bash.8[~]: dnf info wted > Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST. > Error: No matching Packages to list > bash.9[~]: > - - - - - - > duck-duck-go and google gave me nothing useful. > > What is "wted", and is there a security problem? The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path) What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that. This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there. Hope that helps. -- Jonathan Billings -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
