Re: [cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?

[Charlie Clemmer <cclemmer@xxxxxxxxxxxxxxxxxx>]

Wayne,

You're fine....if you're seeing Syslog restart around the same time your 
logs rotate, this is normal.

Syslog seems to freak out if the log file it's writing to changes. More 
specifically, the inode pointer changes with the way log rotate works. So, 
in order for the log rotate function to work, Syslog will get restarted.

I see the same thing here on my test system which is not connected to any 
externally accessible network.

Charlie

At 05:25 AM 4/25/01 -0700, Wayne Sagar wrote:
> I'm seeing this in my logcheck report, almost daliy at about the same time
>
> syslogd 1.3-3: restart seems to happen about the time the logs rotate
> (4:05-4:09)
>
> Started about a month ago... which may coincide with about the time I
> installed the vixie-cron Update 4.0.1 it also probably coincides with about
> the time I installed logcheck...
>
> Sound familiar or... is it an indication that someone is restarting that
> service to cover tracks?
>
> I logged on and watched netstat reports continously during the last time
> period and all I noticed was an unusual smtp connection from an ip in the
> asian pacific registry... Is it possible someone has cracked the box and is
> running a cron job mailing at that nice ripe hour and then restarting
> syslogd to cover tracks.. or would this cover tracks??
>
> also... is the directory usr/man/man8 normal? there's a batch of man dir's
> in there..
>
> I've got all the updates installed, running portsentry and logcheck but the
> box was unprotected for about a month prior to installation of
> portsenty/logcheck (had updates)
>
> TIA
> Wayne Sagar
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security