I've gotten the following warning from chkrootkit - is it anything to worry about?
(I'm running fedora core 6)

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         2908 tty0   /sbin/mingetty tty0
chkutmp: nothing deleted

I'm currently logged in as a non-root user via SSH, and there shouldn't be any other logins. (I'm running chkrootkit via `sudo`)

The reason I used chkrootkit is because I noticed hits in my server logs for a url which isn't linked from anywhere at all.
Is another linode user sniffing the local network traffic?
The offending source IP was 83.195.58.159

$ whois -h whois.ripe.net 83.195.58.159
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '83.195.58.0 - 83.195.58.255'

inetnum: 83.195.58.0 - 83.195.58.255
netname: IP2000-ADSL-BAS
descr: BSNAN152 Nantes Bloc 1
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: postmaster@wanadoo.fr AND abuse@wanadoo.fr
mnt-by: FT-BRX
source: RIPE # Filtered

role: Wanadoo France Technical Role
address: FRANCE TELECOM/SCR
address: 48 rue Camille Desmoulins
address: 92791 ISSY LES MOULINEAUX CEDEX 9
address: FR
phone: +33 1 58 88 50 00
e-mail: abuse@wanadoo.fr
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
nic-hdl: WITR1-RIPE
mnt-by: FT-BRX
source: RIPE # Filtered

% Information related to '83.192.0.0/13AS3215'

route: 83.192.0.0/13
descr: France Telecom
origin: AS3215
mnt-by: RAIN-TRANSPAC
source: RIPE # Filtered

I can't really tell from just that. But, tty0 is the lish console.



You can't possibly know that. But I won't dredge onward on that.



One linode cannot sniff another linode's traffic, this is blocked by caker's ether-bridge firewalling. Where did you get 83.195.58.159 from?

That's reassuring, thanks.



I had thought it impossible because the linode's fairly new and doesn't even have a domain pointing to it yet, but I've just googled my IP address and found that in a mail I'd sent to a list last week I'd accidentally left the url in some server output.
My bad!

Thanks for your help

It looks like the original user process on that tty exited without cleaning out the utmp entry. Probably an accident, rathter than a hack.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net