Request for guidance on chkrootkit messages [Solved]

[LinuxSpring1]

I recently ran chkrootkit on my system and the following was the output

Code: Select all

# chkrootkit wted z2 
ROOTDIR is `/'
Checking `wted'...                                          WARNING

WARNING: output from chkwtmp:
unable to open wtmp-file wtmp

Checking `z2'...                                            WARNING

WARNING: output from chklastlog:
unable to open wtmp-file /wtmp
#
# cat /var/log/chkrootkit/log.today
....
....
Searching for Ambient (ark) rootkit...                      not found
Searching for suspicious files and dirs...                  WARNING

WARNING: The following suspicious files and directories were found:
/usr/lib/libreoffice/share/.registry
/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
/usr/lib/debug/.dwz

Searching for LPD Worm...                                   not found
....
....
#

I have the following queries
1) What is wtmp-file /wtmp? Is this warning something serious? Is this applicable for Linux or only for Solaris? How to fix it?
2) There are 3 suspicious files present. What are these files for? Can these files be deleted? Or should they ignored?

My System is a MX Linux 23.3, running Kernel 6.1.0-25-amd64

[Eadwine Rose]

With all help requests, as per forum rules (which, if you haven't, please read), please share your full Quick System Info, do not edit.
If need be, you can do this with the LiveUSB, thanks.

[m_pav]

When a person is capable of successfully running a chkrootkit, then surely that same person can also get a response through google within 2 seconds on such a question as this.
https://askubuntu.com/questions/325491/ ... btmp-files

None of them are any cause for concern, and really, a chkrootkit is more of a tool type used by server administrators who have already obtained a full inventory of their systems through using other tools to get a baseline of what is normal and expected of the system prior to exposing it to a DMZ, like the open internet where it will be hammered 24/7. Such an admin might do a security check and validation as part of their ongoing maintenance and care of the machine, checking it against both the baseline and any successive baseline versions since the machine became active.

The wtmp files absence, as indicated by the snippet you wrapped in quotes above simply means it is not running, simple as that, and I wouldn't expect it to be on a Desktop type system.

The first 2 "suspicious files belong to LibreOffice and Java, the third is a directory that contains debuging information, it is not a file. Check these against what a clean Live-USB produces if you have any concerns, but otherwise, I wouldn't be concerning myself over them if you did not start by obtaining a baseline before you put your computer to use.

I hope you are beginning to understand what I am trying to say here. It's not impossible to get targeted and have something planted on your machine, but most highly unlikely for a Desktop type build.

[LinuxSpring1]

When a person is capable of successfully running a chkrootkit, then surely that same person can also get a response through google within 2 seconds on such a question as this.
https://askubuntu.com/questions/325491/ ... btmp-files

Thanks a lot for the link. It helped.
I did a search prior to posting. I looked up the website of chkrootkit and also the website of CERT Brazil. I did not know that CERT Brazil is one of the places where work on chkrootkit is done. Since I did not find anything over there in the documentation and was not able to locate any mailing list which I could search, I posted the question over here.

None of them are any cause for concern, and really, a chkrootkit is more of a tool type used by server administrators who have already obtained a full inventory of their systems through using other tools to get a baseline of what is normal and expected of the system prior to exposing it to a DMZ, like the open internet where it will be hammered 24/7.
...
...
The wtmp files absence, as indicated by the snippet you wrapped in quotes above simply means it is not running, simple as that, and I wouldn't expect it to be on a Desktop type system.

Thanks for the confirmation about the lack of wtmp.

The first 2 "suspicious files belong to LibreOffice and Java, the third is a directory that contains debuging information, it is not a file. Check these against what a clean Live-USB produces if you have any concerns, but otherwise, I wouldn't be concerning myself over them if you did not start by obtaining a baseline before you put your computer to use.

I did not obtain a baseline before I put my computer to use. I will use the existing baseline that I have going forward. I will have to create a LiveUSB to check this out.
Out of curiosity, what would you recommend for creating a baseline?

I hope you are beginning to understand what I am trying to say here. It's not impossible to get targeted and have something planted on your machine, but most highly unlikely for a Desktop type build.

Yeah it is unlikely but not impossible. Better to have airbags and Fender Rail guard.

[m_pav]

@LinuxSpring1 Your baseline would be the Live USB booted with the load-all cheat-code, and package matched to your existing installation, that is, if you have added any packages since since you installed it to bare metal. You can do all this through a VirtualBox VM if you wish, you'll be getting much the same result, other than not using the same hardware, which is why I mentioned the cheat code load-all.

The following is very rudimentary and it relies solely on Open Source Software. For secure systems used for higher end targets, commercial applications are required such as endpoint Virus and intrusion protections, as well as being behind commercial firewalls and filter traps for unwanted content, we'll not be talking about that here.

Server Admins for smaller company servers will often build a machine, set it up with all the software and services they need and mimicking the server operating in and out of a DMZ, obtain at least 2 baselines. If the server is hosting email, they will likely use Clamav to scan all incoming and outgoing emails. (Desktop users can use freshclam, which provides a UI element, though most web facing servers will not be running a UI). From that baseline, they will determine any attack vectors they could tighten up and re-run to get a new baseline.

Clamav will list any potential issue it finds, most will be benign or not worth consideration, so these will be added to an exclusion list for future scans.
The same goes for rootkit checkers, so with these, you can build your baseline, which will essentially be an exclusion list. What you need to understand is these tools first priority is to report, not to provide active prevention, therefore they need to be run on a schedule with each report being checked as they arrive.

The end result of these two tools is, you'll have 2 exclusion lists, or lists of items you can safely ignore with any future scans. This list can be used to capture the output of each scan and filter out the exclusions, or in some cases, the tools can be run with the exclusions list to avoid reporting them, however, there should be periodic scans done without the exclusions to check against the baseline to ensure you're not missing anything. When a new threat is found, these filters may need to be tuned to watch for it, so the baseline will need to be modified from time to time, even if you never add more software to the server.

So all in all, for a web-facing machine in a DMZ, you'd be getting at least a daily report, which can become a human failure whereby we are prone to becoming anesthetised to something we are seeing every day and slack off our vigor with the report checking.

In short, not really needed for Desktop type installations.