chkrootkit warning - hacked?

I've gotten the following warning from chkrootkit - is it anything to worry about?

(I'm running fedora core 6)

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         2908 tty0   /sbin/mingetty tty0
chkutmp: nothing deleted

I'm currently logged in as a non-root user via SSH, and there shouldn't be any other logins. (I'm running chkrootkit via sudo)

The reason I used chkrootkit is because I noticed hits in my server logs for a url which isn't linked from anywhere at all.

Is another linode user sniffing the local network traffic?

The offending source IP was 83.195.58.159

4 Replies

$ whois -h whois.ripe.net 83.195.58.159

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to '83.195.58.0 - 83.195.58.255'

inetnum: 83.195.58.0 - 83.195.58.255

netname: IP2000-ADSL-BAS

descr: BSNAN152 Nantes Bloc 1

country: FR

admin-c: WITR1-RIPE

tech-c: WITR1-RIPE

status: ASSIGNED PA

remarks: for hacking, spamming or security problems send mail to

remarks: postmaster@wanadoo.fr AND abuse@wanadoo.fr

mnt-by: FT-BRX

source: RIPE # Filtered

role: Wanadoo France Technical Role

address: FRANCE TELECOM/SCR

address: 48 rue Camille Desmoulins

address: 92791 ISSY LES MOULINEAUX CEDEX 9

address: FR

phone: +33 1 58 88 50 00

e-mail: abuse@wanadoo.fr

admin-c: WITR1-RIPE

tech-c: WITR1-RIPE

nic-hdl: WITR1-RIPE

mnt-by: FT-BRX

source: RIPE # Filtered

% Information related to '83.192.0.0/13AS3215'

route: 83.192.0.0/13

descr: France Telecom

origin: AS3215

mnt-by: RAIN-TRANSPAC

source: RIPE # Filtered

@fireartist:

I've gotten the following warning from chkrootkit - is it anything to worry about?

(I'm running fedora core 6)

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         2908 tty0   /sbin/mingetty tty0
chkutmp: nothing deleted

I can't really tell from just that. But, tty0 is the lish console.

@fireartist:

I'm currently logged in as a non-root user via SSH, and there shouldn't be any other logins. (I'm running chkrootkit via sudo)

The reason I used chkrootkit is because I noticed hits in my server logs for a url which isn't linked from anywhere at all.

You can't possibly know that. But I won't dredge onward on that.

@fireartist:

Is another linode user sniffing the local network traffic?

The offending source IP was 83.195.58.159

One linode cannot sniff another linode's traffic, this is blocked by caker's ether-bridge firewalling. Where did you get 83.195.58.159 from?

@warewolf:

I can't really tell from just that. But, tty0 is the lish console.

That's reassuring, thanks.

> You can't possibly know that. But I won't dredge onward on that.

I had thought it impossible because the linode's fairly new and doesn't even have a domain pointing to it yet, but I've just googled my IP address and found that in a mail I'd sent to a list last week I'd accidentally left the url in some server output.

My bad!

Thanks for your help

It looks like the original user process on that tty exited without cleaning out the utmp entry. Probably an accident, rathter than a hack.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct