[techtalk] cracked?

Cynthia Dale silly at redhat.com
Wed Jan 12 20:18:15 EST 2000 

Most likely you didn't get hacked.  It looks like your logs rotated via
cron, as is SOP nowdays with Red Hat.  I am not sure why syslogd restarted
so many times or why it isn't logging as it did before, though.  I'd check
the following:
rpm -Va >rpmcheck and look at the rpmcheck file
/etc/passwd to see if anyone's been added
and things like that.

Also, make sure that you always install all of the security updates from
www.redhat.com/errata
Cindy

On Wed, 12 Jan 2000, srl wrote:

> Okay, i feel like a dumbass asking this one in public, but here goes.
> 
> I've got a RH6.1 box at home connected to a MediaOne cable modem. It's not
> on all the time. I've been working on it when I can, trying to make it a
> masquerading firewall for my network. I haven't gotten to patching it yet
> (the updates posted on RH's website), but it hasn't been on that much. 
> I've shut off pretty much every service it has.
> 
> I have the packet filtering set up, enough that I can see people poking at
> it---- lots of spoofed packets from 5.0.0.4, port 65536, being denied by
> my system. Whee, I thought, my firewall works. ('course, it's not
> connected to anything yet, but that's another story....)
> 
> So i left it on for a few hours last weekend, left the house and came
> back. When I came back, the window i had running tail-f /var/log/messages
> registered some of the usual poking (as above), at system time 4:01:05. 
> 
> A bit later, while doing something else entirely, i noticed that the logs
> had cycled; the old /var/log/messages was now /var/log/messages.1, and
> there were.. 6 or so "syslogd restarted" messages from around 4:01:20. I
> didn't restart syslogd, and if i had it wouldn't have been 6 times. 
> There are no packet-denied records in the log after that. 
> 
> I looked in the cron files to see whether the logs are supposed to be
> cycling, and they're not, at least as far as i can tell. (and even if they
> were set up to cycle, that wouldn't necessitate restarting syslogd, would
> it?)
> 
> Does this necessarily mean my system's been compromised? If so, is
> there any way I can tell? 
> 
> srl
> 
> 
> ************
> techtalk at linuxchix.org   http://www.linuxchix.org
> 

Cynthia J. Dale
Technical Engineer/FAQ maintainer
Red Hat, Inc.

fnord.



************
techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list