[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Have I been hacked?
- Subject: Re: [cobalt-security] Have I been hacked?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 7 Jan 2002 19:39:55 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Simon,
> We already run chkrootkit on a daily basis using cron (your advice I
> believe) and it is reporting nothing unusual.
Ok, that's a good start. This most likely means that system binaries like
/bin/login, netstat, ifconfig, ps and such have not been modified and there's
no rootkit installed and no hidden processes.
> I ran a netstat on the machine, nothing unusual. I can't run a portscan
> from outside becase I only have a windows machine to connect from and I
> don't know how to do that...yet (i'll try to find something)
You can fire up Google.com and search for "Portscanner for Windows", which
should return quite a few examples.
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan 5 04:04:14 ns1 syslogd 1.3-3: restart.
> Jan 5 04:05:03 ns1 syslogd 1.3-3: restart.
> Jan 5 04:06:41 ns1 named[376]: Cleaned cache of 4 RRsets
Ok, "syslogd 1.3-3: restart." means just a restart of the logging facility
and not of the entire server.
Well, I just restared the syslogd manually and then had the following entries
in my /var/log/messages:
Jan 7 19:27:50 playground exiting on signal 15
Jan 7 19:27:50 playground syslogd 1.3-3: restart
So the message "syslogd 1.3-3: restart" defenitely appears only once when you
issue a restart of it. However, the daily logrotate (splitting and zipping up
the logs) shuts down the syslog facility while it runs, so you'll see it shut
down daily and even a few times in a row at or around 4am. That's nothing to
worry about.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer