Re: security: wted?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/13/25 3:11 PM, home user via users wrote:

On 2/13/25 2:40 PM, Jonathan Billings wrote:

On Feb 13, 2025, at 12:51, home user via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

[snip]


What is "wted", and is there a security problem?


The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path)

What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that.

  This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there.

Hope that helps.


Thank-you Jonathan.

Is there a way of checking for outside connections during the time periods being reported?


"Something inside me" suggested I try the "last" command, even though what you said suggested wtmp might be corrupted.  I did so.  For some unknown reason, booting this workstation sometimes fails to result in a login screen; it just goes black.  I have to hit the tower's reset button.  It often takes 2 boots, occasionally 3, to get a login screen.  I've not been able to discern a pattern to this.  In the output to "last", I can see when those multiple boots happened.  The wted messages in the chkrootkit output all coincide with when it took 2 or 3 boots to get a login screen, though most multiple boots that did not correspond to wted messages in the chkrootkit output.  I'm now thinking the wted messages are not a security issue, but I'm not certain.

--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux