[techtalk] cracked?

srl slandrum at turing.csc.smith.edu
Wed Jan 12 16:28:21 EST 2000

Okay, i feel like a dumbass asking this one in public, but here goes.

I've got a RH6.1 box at home connected to a MediaOne cable modem. It's not
on all the time. I've been working on it when I can, trying to make it a
masquerading firewall for my network. I haven't gotten to patching it yet
(the updates posted on RH's website), but it hasn't been on that much. 
I've shut off pretty much every service it has.

I have the packet filtering set up, enough that I can see people poking at
it---- lots of spoofed packets from, port 65536, being denied by
my system. Whee, I thought, my firewall works. ('course, it's not
connected to anything yet, but that's another story....)

So i left it on for a few hours last weekend, left the house and came
back. When I came back, the window i had running tail-f /var/log/messages
registered some of the usual poking (as above), at system time 4:01:05. 

A bit later, while doing something else entirely, i noticed that the logs
had cycled; the old /var/log/messages was now /var/log/messages.1, and
there were.. 6 or so "syslogd restarted" messages from around 4:01:20. I
didn't restart syslogd, and if i had it wouldn't have been 6 times. 
There are no packet-denied records in the log after that. 

I looked in the cron files to see whether the logs are supposed to be
cycling, and they're not, at least as far as i can tell. (and even if they
were set up to cycle, that wouldn't necessitate restarting syslogd, would

Does this necessarily mean my system's been compromised? If so, is
there any way I can tell? 


techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list