[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?

Subject: [cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?
From: Wayne Sagar <wsagar@xxxxxxxx>
Date: Wed, 25 Apr 2001 05:25:14 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I'm seeing this in my logcheck report, almost daliy at about the same time

syslogd 1.3-3: restart seems to happen about the time the logs rotate
(4:05-4:09)

Started about a month ago... which may coincide with about the time I
installed the vixie-cron Update 4.0.1 it also probably coincides with about
the time I installed logcheck... 

Sound familiar or... is it an indication that someone is restarting that
service to cover tracks?

I logged on and watched netstat reports continously during the last time
period and all I noticed was an unusual smtp connection from an ip in the
asian pacific registry... Is it possible someone has cracked the box and is
running a cron job mailing at that nice ripe hour and then restarting
syslogd to cover tracks.. or would this cover tracks??

also... is the directory usr/man/man8 normal? there's a batch of man dir's
in there.. 

I've got all the updates installed, running portsentry and logcheck but the
box was unprotected for about a month prior to installation of
portsenty/logcheck (had updates)

TIA
Wayne Sagar

Follow-Ups:
- Re: [cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?
  - From: Charlie Clemmer

Prev by Date: Re: [cobalt-security] Possible problem?
Next by Date: [cobalt-security] re: Telnet security
Previous by thread: [cobalt-security] RaQ3-End Of Life Updates (fwd)
Next by thread: Re: [cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index