[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?
- Subject: [cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?
- From: Wayne Sagar <wsagar@xxxxxxxx>
- Date: Wed, 25 Apr 2001 05:25:14 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I'm seeing this in my logcheck report, almost daliy at about the same time
syslogd 1.3-3: restart seems to happen about the time the logs rotate
(4:05-4:09)
Started about a month ago... which may coincide with about the time I
installed the vixie-cron Update 4.0.1 it also probably coincides with about
the time I installed logcheck...
Sound familiar or... is it an indication that someone is restarting that
service to cover tracks?
I logged on and watched netstat reports continously during the last time
period and all I noticed was an unusual smtp connection from an ip in the
asian pacific registry... Is it possible someone has cracked the box and is
running a cron job mailing at that nice ripe hour and then restarting
syslogd to cover tracks.. or would this cover tracks??
also... is the directory usr/man/man8 normal? there's a batch of man dir's
in there..
I've got all the updates installed, running portsentry and logcheck but the
box was unprotected for about a month prior to installation of
portsenty/logcheck (had updates)
TIA
Wayne Sagar