David Guntner wrote:
>
> Hi,
>
> This morning, I ran chkrootkit on my ML 8.2 system, and everything turned
> up with the usual "nothing found" message, except the last one. It came
> up:
>
> Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
> and {time}
>
> (The "{time}" is just me saving myself some typing - there were actually
> times present. :)
>
> Question: Based on this, is my system likely to have been compromised or
> not? For that matter, what's wted?
>
Looks like it is telling you about some file deletions. Did you do any
file deleting between the times listed in the message? Chrootkit is a
*good* program for doing what it is designed to do: that is find
rootkits. To monitor files, all files, i.e. file perms/attribs that
change, changed md5 info on files, additions/deletions of files, etc.,
you really should try using Tripwire in conjunction with chrootkit.
David, from what you have posted, it is difficult to say if you were or
you were not cracked but I would be very suspicious, and do a bunch of
"greps" on your other log files, esp auth and security logs...
drjung
--
J. Craig Woods
UNIX/NT Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
