chkrootkit wted warning

Hi,

I noticed in chkrootkit's output the line
Checking `wted'... 8 deletion(s) between ...(shortened by me)

I checked wtmp and all other logs, apparently the system has
crashed at the time in questionm so probably that's the reason
for the deletions. just to be sure I've been looking for any
suspicious activities that could indicate a compromise.

I checked for noisy network traffic.
I compared ps aux with /proc.
I booted from clean media and checked for suspicious files.
I installed check_ps and checked for hidden or fake processes.

So far, everything seems to be ok and since the system is not
connected to the LAN, I'm willing to leave it at it, but
probably somebody has additional ideas what to check.

TIA
Ransom
--
For real email get public key 0xF6BB5695 from www.keyserver.net
NO to Software Patents - http://www.ffii.org

Ransom wrote:
> Hi,
>
> I noticed in chkrootkit's output the line
> Checking `wted'... 8 deletion(s) between ...(shortened by me)
>
> I checked wtmp and all other logs, apparently the system has
> crashed at the time in questionm so probably that's the reason
> for the deletions. just to be sure I've been looking for any
> suspicious activities that could indicate a compromise.
>
> I checked for noisy network traffic.
> I compared ps aux with /proc.
> I booted from clean media and checked for suspicious files.
> I installed check_ps and checked for hidden or fake processes.
>
> So far, everything seems to be ok and since the system is not
> connected to the LAN, I'm willing to leave it at it, but
> probably somebody has additional ideas what to check.
>
> TIA
> Ransom

try to compare the netstat output and a port scan from another clean system.

Eric

Eric Teuber wrote:

>
> try to compare the netstat output and a port scan from another
> clean system.
>

Thanks, will try that.

Ransom
--
For real email get public key 0xF6BB5695 from www.keyserver.net
NO to Software Patents - http://www.ffii.org