Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
chkrootkit warning - anything to be worried about?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
eponymous
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2005
Posts: 136

PostPosted: Mon Apr 15, 2013 12:58 pm    Post subject: chkrootkit warning - anything to be worried about? Reply with quote

Hi,

I've just installed chkrootkit and I'm not sure how to intepret the following (I've removed the rest as it looked fine):

Code:

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! <user>       1**** pts/0  /usr/bin/ssh -oForwardX11 no -oForwardAgent no -oClearAllForwardings yes -oProtocol 2 -oNoHostAuthenticationForLocalhost yes -l <another_user> -s <hostname> sftp


Note: I've masked out the two users in question along with the hostname.

I connect to the above SFTP server using Gigolo in Xfce. When I "Disconnect" the share, the above message goes away. I don't understand why it is there when I connect to the host however.

Is this something to be concered about?
Back to top
View user's profile Send private message
phajdan.jr
Developer
Developer


Joined: 23 Mar 2006
Posts: 1767
Location: Poland

PostPosted: Mon Apr 15, 2013 6:26 pm    Post subject: Reply with quote

If you can reliably reproduce this by using sftp, it's fine. I think SFTP doesn't use utmp.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
eponymous
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2005
Posts: 136

PostPosted: Tue Apr 16, 2013 10:19 am    Post subject: Reply with quote

Thanks :)

I also have this message:

net0: PF_PACKET(/var/tmp/portage/net-misc/dhcp-4.2.5_p1/image/sbin/dhclient (deleted))

Do you know what it means?

I'm having trouble finding documentation on how to interpret chkrootkit results...
Back to top
View user's profile Send private message
phajdan.jr
Developer
Developer


Joined: 23 Mar 2006
Posts: 1767
Location: Poland

PostPosted: Tue Apr 16, 2013 6:15 pm    Post subject: Reply with quote

Seems to be fine: http://www.mail-archive.com/debian-user@lists.debian.org/msg81687.html
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
eponymous
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2005
Posts: 136

PostPosted: Wed Apr 17, 2013 2:44 pm    Post subject: Reply with quote

Hmm, that seems similar but my message states that the file is deleted. Does that have any significance?
Back to top
View user's profile Send private message
phajdan.jr
Developer
Developer


Joined: 23 Mar 2006
Posts: 1767
Location: Poland

PostPosted: Sat Apr 20, 2013 9:28 pm    Post subject: Reply with quote

eponymous wrote:
Hmm, that seems similar but my message states that the file is deleted. Does that have any significance?


It was running from portage's temporary directory. Might have been part of some tests (are you running with FEATURES="test"? emerge --info prints that), or just some other thing you'd do explicitly.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum