[techtalk] cracked?

Cynthia Dale silly at redhat.com
Wed Jan 12 20:18:15 EST 2000

Most likely you didn't get hacked.  It looks like your logs rotated via
cron, as is SOP nowdays with Red Hat.  I am not sure why syslogd restarted
so many times or why it isn't logging as it did before, though.  I'd check
the following:
rpm -Va >rpmcheck and look at the rpmcheck file
/etc/passwd to see if anyone's been added
and things like that.

Also, make sure that you always install all of the security updates from

On Wed, 12 Jan 2000, srl wrote:

> Okay, i feel like a dumbass asking this one in public, but here goes.
> I've got a RH6.1 box at home connected to a MediaOne cable modem. It's not
> on all the time. I've been working on it when I can, trying to make it a
> masquerading firewall for my network. I haven't gotten to patching it yet
> (the updates posted on RH's website), but it hasn't been on that much. 
> I've shut off pretty much every service it has.
> I have the packet filtering set up, enough that I can see people poking at
> it---- lots of spoofed packets from, port 65536, being denied by
> my system. Whee, I thought, my firewall works. ('course, it's not
> connected to anything yet, but that's another story....)
> So i left it on for a few hours last weekend, left the house and came
> back. When I came back, the window i had running tail-f /var/log/messages
> registered some of the usual poking (as above), at system time 4:01:05. 
> A bit later, while doing something else entirely, i noticed that the logs
> had cycled; the old /var/log/messages was now /var/log/messages.1, and
> there were.. 6 or so "syslogd restarted" messages from around 4:01:20. I
> didn't restart syslogd, and if i had it wouldn't have been 6 times. 
> There are no packet-denied records in the log after that. 
> I looked in the cron files to see whether the logs are supposed to be
> cycling, and they're not, at least as far as i can tell. (and even if they
> were set up to cycle, that wouldn't necessitate restarting syslogd, would
> it?)
> Does this necessarily mean my system's been compromised? If so, is
> there any way I can tell? 
> srl
> ************
> techtalk at linuxchix.org   http://www.linuxchix.org

Cynthia J. Dale
Technical Engineer/FAQ maintainer
Red Hat, Inc.


techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list