The fact that most of those files are empty(hacker like activity) and there are no .1, .2 etc does not look good. Did you do something at 18:04? Run a netstat and see what/who you are listening for or connected to. Wtmp is time stamped 1.5 hrs later. Run last, it might tell you who was there or what id was compromised. Look in /tmp for anything unusual. Isolate it from your network. Good luck. Regards, Marshall -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Marty Landman Sent: Monday, February 13, 2006 8:10 PM To: redhat-list@xxxxxxxxxx Subject: system logging is not My RH9 gateway suddenly seems to have developed some problems today. The only thing special I recall doing was to change from a netgear hub to a linksys switch and add an 8th box to my lan. There is also a netgear switch to which this box is plugged in which used to uplink to the netgear hub but now uplinks to the linksys switch. All 8 computers were visible from my Win xp workstation after doing that btw. Later I noticed that samba didn't seem to be working on my Win XP workstation - although it can SSH to the RH box. And it's still functioning as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is that a kosher name btw?) evidence of attempted break-ins from a day or two ago. So not knowing what else to do I rebooted - windows user instinct :). Noticed during the reboot that system logging and httpd startup both FAILED. OTOH using Nautilus from the console I could find the other 7 computers on the network, but not this computer itself. Here's some shell stuff that I think illustrates some of what's going on: [marty@BANYAN ~]$ pwd /home/marty [marty@BANYAN ~]$ ls -al /var/log total 324 drwxr-xr-x 2 root root 4096 Feb 13 18:46 . drwxr-xr-x 21 root root 4096 Jul 30 2005 .. -rw-r--r-- 1 root root 28509 Feb 13 18:46 XFree86.0.log -rw-r--r-- 1 root root 28584 Feb 13 18:20 XFree86.0.log.old -rw------- 1 root root 0 Feb 13 18:04 boot.log -rw------- 1 root root 0 Feb 13 18:04 cron -rw-r--r-- 1 root root 6532 Feb 13 18:18 dmesg -rw-r--r-- 1 root root 65631 Feb 13 18:18 ksyms.0 -rw-r--r-- 1 root root 65631 Feb 13 18:14 ksyms.1 -rw-r--r-- 1 root root 65631 Feb 13 18:04 ksyms.2 -rw------- 1 root root 0 Feb 13 18:04 maillog -rw------- 1 root root 0 Feb 13 18:04 messages -rw------- 1 root root 0 Feb 13 18:04 secure -rw------- 1 root root 0 Feb 13 18:04 spooler -rw------- 1 root root 315 Feb 13 18:12 sudolog -rw-rw-r-- 1 root utmp 30336 Feb 13 20:41 wtmp [marty@BANYAN ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/hdd1 5278644 2073532 2936972 42% / /dev/hda1 99251 9324 84802 10% /boot none 127664 0 127664 0% /dev/shm /dev/hda2 4035432 33080 3797360 1% /mnt/kramer /dev/hdb1 241263968 32998936 196009448 15% /mnt/maestro [marty@BANYAN ~]$ top top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory [marty@BANYAN ~]$ ----------------------------------------------- At this point I wonder if my computer's been hijacked or somehow corrupted. Either way not sure what do to next. Thanks in advance, Marty Marty Landman, Face 2 Interface Inc. 845-679-9387 Webmaster's Bulletin Board: http://bbs.face2interface.com/ Web Installed Formmail: http://face2interface.com/formINSTal -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
