Hey folks,
Can anyone tell me what the following output from chkrootkit might mean:
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 4674 tty1 /sbin/mingetty tty1 ! root 4677 tty2 /sbin/mingetty tty2 ! root 4680 tty3 /sbin/mingetty tty3 ! root 4683 tty4 /sbin/mingetty tty4 ! root 4686 tty5 /sbin/mingetty tty5
Naturally I'm concerned.
Thanks,
Stuart.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Stuart Lowe wrote:
| Can anyone tell me what the following output from chkrootkit might mean: | | Checking `chkutmp'... The tty of the following user process(es) were not found | in /var/run/utmp ! | ! RUID PID TTY CMD | ! root 4674 tty1 /sbin/mingetty tty1
# grep min /var/run/utmp #
Either we are both hacked the same way ;-) or it means chrootkit has identified something that is a normal situation on our Fedora machines.
- -Andy
On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
| Checking `chkutmp'... The tty of the following user process(es) were not found | in /var/run/utmp ! | ! RUID PID TTY CMD | ! root 4674 tty1 /sbin/mingetty tty1 Either we are both hacked the same way ;-) or it means chrootkit has identified something that is a normal situation on our Fedora machines.
Looks like chkutmp is new in version 0.45, and is being overly aggressive. This looks like a bug to me; I think it should be reported upstream at http://www.chkrootkit.org/.
On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote:
On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
| Checking `chkutmp'... The tty of the following user process(es) were not found | in /var/run/utmp ! | ! RUID PID TTY CMD | ! root 4674 tty1 /sbin/mingetty tty1 Either we are both hacked the same way ;-) or it means chrootkit has identified something that is a normal situation on our Fedora machines.
Looks like chkutmp is new in version 0.45, and is being overly aggressive. This looks like a bug to me; I think it should be reported upstream at http://www.chkrootkit.org/.
Thanks for your comments guys. For what it's worth I sent in a comment to the authors at chkrootkit.org.
Cheers,
Stuart.
On 5/31/05, Stuart Lowe stuart@teksavvy.com wrote:
On Tue, May 31, 2005 at 12:44:30PM -0400, Matthew Miller wrote:
On Tue, May 31, 2005 at 05:42:00PM +0100, Andy Green wrote:
| Checking `chkutmp'... The tty of the following user process(es) were not found | in /var/run/utmp ! | ! RUID PID TTY CMD | ! root 4674 tty1 /sbin/mingetty tty1
This warning from chkrootkit can be ignored for getty-type processes, such as /sbin/mingetty. It is normal behvior for a getty process to be attached to a tty device, yet not have an audit entry recorded in the utmp file. In fact, it is getty in combination with login that creates those utmp entries. But while getty is sitting on a tty device waiting for a user to login, the state that chkutmp reports is normal.
It is proper though that chkrootkit detects this sort of condition though, because it could indicate a process trying to "hide". However it should have the getty processes as an explicit exception to the rule. But non-getty processes should be reported.
-
Andy Green -
Deron Meranda -
Matthew Miller -
Stuart Lowe