Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
deletions (chkrootkit reported) during console login
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC
View previous topic :: View next topic  
Author Message
bruda
Guru
Guru


Joined: 06 May 2004
Posts: 376
Location: Sherbrooke, QC, Canada

PostPosted: Thu Jul 22, 2004 8:14 pm    Post subject: deletions (chkrootkit reported) during console login Reply with quote

Hi.

Each login from the console causes deletions in lastlog/wtmp, at least this is what chkrootkit reports. For instance, I get for today:

Code:
2 deletion(s) between Thu Jul 22 14:02:19 2004 and Thu Jul 22 14:02:56 2004
2 deletion(s) between Thu Jul 22 14:03:08 2004 and Thu Jul 22 14:11:23 2004
4 deletion(s) between Thu Jul 22 14:11:23 2004 and Thu Jul 22 14:24:31 2004
2 deletion(s) between Thu Jul 22 14:24:31 2004 and Thu Jul 22 14:34:38 2004
4 deletion(s) between Thu Jul 22 14:34:38 2004 and Thu Jul 22 14:39:17 2004
2 deletion(s) between Thu Jul 22 14:39:17 2004 and Thu Jul 22 14:39:47 2004


This are precisely the times at which somebody (myself actually) logged in from the console. It does happen systematically (I did freak out the first time), and the "feature" does not manifest itself for logins through SSH. Did anybody encounter anything like this?

This happens with a full 64-bit Gentoo on a dual 2GHz Apple G5. None of my other machines (three 32-bit PPCs of various generations and a Pentium IV) behave like this.
_________________
Quid latine dictum sit altum videtur
Back to top
View user's profile Send private message
bruda
Guru
Guru


Joined: 06 May 2004
Posts: 376
Location: Sherbrooke, QC, Canada

PostPosted: Thu Jul 22, 2004 8:25 pm    Post subject: Reply with quote

Damn, sorry, I forgot to mention that the corresponding lines in last -aix look like this:

Code:
root     vc/2         Thu Jul 22 14:34 - 19:00 (-12621+-18: 0.0.0.0
root     vc/2         Thu Jul 22 14:11 - 19:00 (-12621+-18: 0.0.0.0
bruda    vc/1         Thu Jul 22 14:03 - 19:00 (-12621+-18: 0.0.0.0
root     vc/1         Thu Jul 22 14:02 - 19:00 (-12621+-18: 0.0.0.0


These are the logins alright, but the durations are as one easily sees all screwed up. I am suspecting a problem in a PAM module, any idea on how to diagnoze it further? Thanks again.
_________________
Quid latine dictum sit altum videtur
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum