[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [[cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?]
- Subject: Re: [[cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?]
- From: Elf <snowy_elf@xxxxxxx>
- Date: 25 Apr 2001 21:06:48 MDT
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
It is abnormal to have the syslogd restart daily; unless your logs rotate on a
daily basis. How big are your log files; its possible that they are too big.
If not, then it is odd; I had the syslogd restart once within the first 2
weeks of operation and thought my machine was compromised, though we are
behind a firewall. There are sw to check if you have been compromised, like
tripwire, though I would like to know some more; mabye Snort is a good product
to check into this ?
Wayne Sagar <wsagar@xxxxxxxx> wrote:
I'm seeing this in my logcheck report, almost daliy at about the same time
syslogd 1.3-3: restart seems to happen about the time the logs rotate
(4:05-4:09)
Started about a month ago... which may coincide with about the time I
installed the vixie-cron Update 4.0.1 it also probably coincides with about
the time I installed logcheck...
Sound familiar or... is it an indication that someone is restarting that
service to cover tracks?
I logged on and watched netstat reports continously during the last time
period and all I noticed was an unusual smtp connection from an ip in the
asian pacific registry... Is it possible someone has cracked the box and is
running a cron job mailing at that nice ripe hour and then restarting
syslogd to cover tracks.. or would this cover tracks??
also... is the directory usr/man/man8 normal? there's a batch of man dir's
in there..
I've got all the updates installed, running portsentry and logcheck but the
box was unprotected for about a month prior to installation of
portsenty/logcheck (had updates)
TIA
Wayne Sagar
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1