View previous topic :: View next topic |
Author |
Message |
eponymous Tux's lil' helper
Joined: 02 Feb 2005 Posts: 141
|
Posted: Mon Apr 15, 2013 12:58 pm Post subject: chkrootkit warning - anything to be worried about? |
|
|
Hi,
I've just installed chkrootkit and I'm not sure how to intepret the following (I've removed the rest as it looked fine):
Code: |
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! <user> 1**** pts/0 /usr/bin/ssh -oForwardX11 no -oForwardAgent no -oClearAllForwardings yes -oProtocol 2 -oNoHostAuthenticationForLocalhost yes -l <another_user> -s <hostname> sftp
|
Note: I've masked out the two users in question along with the hostname.
I connect to the above SFTP server using Gigolo in Xfce. When I "Disconnect" the share, the above message goes away. I don't understand why it is there when I connect to the host however.
Is this something to be concered about? |
|
Back to top |
|
|
phajdan.jr Retired Dev
Joined: 23 Mar 2006 Posts: 1777 Location: Poland
|
Posted: Mon Apr 15, 2013 6:26 pm Post subject: |
|
|
If you can reliably reproduce this by using sftp, it's fine. I think SFTP doesn't use utmp. _________________ http://phajdan-jr.blogspot.com/ |
|
Back to top |
|
|
eponymous Tux's lil' helper
Joined: 02 Feb 2005 Posts: 141
|
Posted: Tue Apr 16, 2013 10:19 am Post subject: |
|
|
Thanks
I also have this message:
net0: PF_PACKET(/var/tmp/portage/net-misc/dhcp-4.2.5_p1/image/sbin/dhclient (deleted))
Do you know what it means?
I'm having trouble finding documentation on how to interpret chkrootkit results... |
|
Back to top |
|
|
phajdan.jr Retired Dev
Joined: 23 Mar 2006 Posts: 1777 Location: Poland
|
|
Back to top |
|
|
eponymous Tux's lil' helper
Joined: 02 Feb 2005 Posts: 141
|
Posted: Wed Apr 17, 2013 2:44 pm Post subject: |
|
|
Hmm, that seems similar but my message states that the file is deleted. Does that have any significance? |
|
Back to top |
|
|
phajdan.jr Retired Dev
Joined: 23 Mar 2006 Posts: 1777 Location: Poland
|
Posted: Sat Apr 20, 2013 9:28 pm Post subject: |
|
|
eponymous wrote: | Hmm, that seems similar but my message states that the file is deleted. Does that have any significance? |
It was running from portage's temporary directory. Might have been part of some tests (are you running with FEATURES="test"? emerge --info prints that), or just some other thing you'd do explicitly. _________________ http://phajdan-jr.blogspot.com/ |
|
Back to top |
|
|
|