On 2/13/25 2:40 PM, Jonathan Billings wrote:
On Feb 13, 2025, at 12:51, home user via users users@lists.fedoraproject.org wrote:
(f40; gnome; last patched minutes ago)
When I ran chkrootkit, I got the following (including a few lines of context) regarding "wted":
[snip] Checking `w55808'... not infected Checking `wted'... 1 deletion(s) between Tue Jan 28 07:33:49 2025 and Tue Jan 28 07:36:08 2025 1 deletion(s) between Fri Feb 7 08:13:43 2025 and Fri Feb 7 08:15:51 2025 1 deletion(s) between Sat Feb 8 15:26:59 2025 and Sat Feb 8 15:29:22 2025 1 deletion(s) between Sat Feb 8 15:29:22 2025 and Sat Feb 8 15:31:27 2025 Checking `scalper'... not infected [snip] bash.5[~]:
I got the same thing both before and after "dnf upgrade". rkhunter made no mention of "wted".
I tried to find what "wted" is:
bash.5[~]: which wted /usr/bin/which: no wted in (/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/root/bin) bash.6[~]: whereis wted wted: bash.7[~]: man wted No manual entry for wted bash.8[~]: dnf info wted Last metadata expiration check: 0:23:46 ago on Thu 13 Feb 2025 10:05:51 AM MST. Error: No matching Packages to list bash.9[~]:
duck-duck-go and google gave me nothing useful.
What is "wted", and is there a security problem?
The “wted” function in the chkrootkit script runs “chwtmp -f /var/log/wtmp` (the executable is part of the package and might not be on your path)
What I think it’s doing is identifying time periods that appear to have been removed from the wtmp file, which is a binary log file that is updated every time you log in and out. The “last” command reads it, for example. A potentially compromised system might have the malicious login wiped from the file, although I’ve never seen that.
This checker was written many years ago and I have no idea how accurate it is with modern tools and the current structure of that file. The chkrootkit code isn’t in any useful code repository so who knows what is going on there.
Hope that helps.
Thank-you Jonathan.
Is there a way of checking for outside connections during the time periods being reported?