[ SOLVED ] z2 and message in chkrootkit

[ian_r_h]

Thanks, TC.

[trinidad]

I believe z2 refers to a backgrounded process error message, 2 being the error status and z referring to its being a backgrounded process.

Here you go:

http://write.flossmanuals.net/command-line/processes/

TC

[ian_r_h]

Hi, all,

I've installed chkrootkit on one of my units; but some time after the initial build rather than straightaway as I would have liked to have done (in order to establish a baseline for a fresh build).

I've got one line which I don't understand, and which I've drawn a blank when Googling and am hoping someone might be able to give me some pointers:

Checking `z2'...                                            user ian deleted or never logged from lastlog!

Does anyone know to what "z2" is referring?
I'm unfamiliar with the lastlog command also, being new to the terminal, etc.

I don't think it's necessarily related, but I also get a strange entry under

Checking `chkutmp'...                                        The tty of the following user process(es) were not found
 in /var/run/utmp !

Which looks like some form of bug(?) in chkrootkit, when connected to the Internet (and in this case running firefox  which returns 57.0.1 64-bit in firejail):

! RUID          PID TTY    CMD
! �⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire       0 ‧ ? ‹›⁁⁄⁒ ⅓�⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire �⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire
! �⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire       0 ‧ ? ‹›⁁⁄⁒ ⅓�⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire �⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire
! �⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire       0 ‧ ? ‹›⁁⁄⁒ ⅓�⅙⅚?⅜⅝⅞⅟∕∶⎮╱⧶⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire �⧸⫻⫽⿰⿱⿲⿳⿴⿵⿶⿷⿸⿹⿺⿻　。〔〕〳゠ㅤ㈝㈞㎮㎯㏆㏟꞉︔︕︿﹝﹞?．／｡ﾠ �|159:4;high| -schedulerPrefs 0001,2 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/fire

before more expected entries which generally seem to refer to running chkrootkit as sudo:

! ian         31063 pts/4  /bin/bash
! root        31070 pts/4  /bin/sh /usr/sbin/chkrootkit
! root        31726 pts/4  ./chkutmp
! root        31728 pts/4  ps axk tty,ruser,args -o tty,pid,ruser,args
! root        31727 pts/4  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
! root        31069 pts/4  sudo chkrootkit
chkutmp: nothing deleted

Thanks all,
Ian