Re: [[cobalt-security] RaQ3 syslogd 1.3-3: restart Normal?]

[Elf <snowy_elf@xxxxxxx>]

It is abnormal to have the syslogd restart daily; unless your logs rotate on a
daily basis. How big are your log files; its possible that they are too big. 
If not, then it is odd; I had the syslogd restart once within the first 2
weeks of operation and thought my machine was compromised, though we are
behind a firewall. There are sw to check if you have been compromised, like
tripwire, though I would like to know some more; mabye Snort is a good product
to check into this ?


Wayne Sagar <wsagar@xxxxxxxx> wrote:
I'm seeing this in my logcheck report, almost daliy at about the same time

syslogd 1.3-3: restart seems to happen about the time the logs rotate
(4:05-4:09)

Started about a month ago... which may coincide with about the time I
installed the vixie-cron Update 4.0.1 it also probably coincides with about
the time I installed logcheck... 

Sound familiar or... is it an indication that someone is restarting that
service to cover tracks?

I logged on and watched netstat reports continously during the last time
period and all I noticed was an unusual smtp connection from an ip in the
asian pacific registry... Is it possible someone has cracked the box and is
running a cron job mailing at that nice ripe hour and then restarting
syslogd to cover tracks.. or would this cover tracks??

also... is the directory usr/man/man8 normal? there's a batch of man dir's
in there.. 

I've got all the updates installed, running portsentry and logcheck but the
box was unprotected for about a month prior to installation of
portsenty/logcheck (had updates)

TIA
Wayne Sagar
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1