chkrootkit warning - hacked?
(I'm running fedora core 6)
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2908 tty0 /sbin/mingetty tty0
chkutmp: nothing deleted
I'm currently logged in as a non-root user via SSH, and there shouldn't be any other logins. (I'm running chkrootkit via sudo
)
The reason I used chkrootkit is because I noticed hits in my server logs for a url which isn't linked from anywhere at all.
Is another linode user sniffing the local network traffic?
The offending source IP was 83.195.58.159
4 Replies
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '83.195.58.0 - 83.195.58.255'
inetnum: 83.195.58.0 - 83.195.58.255
netname: IP2000-ADSL-BAS
descr: BSNAN152 Nantes Bloc 1
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks:
mnt-by: FT-BRX
source: RIPE # Filtered
role: Wanadoo France Technical Role
address: FRANCE TELECOM/SCR
address: 48 rue Camille Desmoulins
address: 92791 ISSY LES MOULINEAUX CEDEX 9
address: FR
phone: +33 1 58 88 50 00
e-mail:
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
nic-hdl: WITR1-RIPE
mnt-by: FT-BRX
source: RIPE # Filtered
% Information related to '83.192.0.0/13AS3215'
route: 83.192.0.0/13
descr: France Telecom
origin: AS3215
mnt-by: RAIN-TRANSPAC
source: RIPE # Filtered
@fireartist:
I've gotten the following warning from chkrootkit - is it anything to worry about?
(I'm running fedora core 6)
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 2908 tty0 /sbin/mingetty tty0 chkutmp: nothing deleted
I can't really tell from just that. But, tty0 is the lish console.
@fireartist:
I'm currently logged in as a non-root user via SSH, and there shouldn't be any other logins. (I'm running chkrootkit via
sudo
)The reason I used chkrootkit is because I noticed hits in my server logs for a url which isn't linked from anywhere at all.
You can't possibly know that. But I won't dredge onward on that.
@fireartist:
Is another linode user sniffing the local network traffic?
The offending source IP was 83.195.58.159
One linode cannot sniff another linode's traffic, this is blocked by caker's ether-bridge firewalling. Where did you get 83.195.58.159 from?
@warewolf:
I can't really tell from just that. But, tty0 is the lish console.
That's reassuring, thanks.
> You can't possibly know that. But I won't dredge onward on that.
I had thought it impossible because the linode's fairly new and doesn't even have a domain pointing to it yet, but I've just googled my IP address and found that in a mail I'd sent to a list last week I'd accidentally left the url in some server output.
My bad!
Thanks for your help