RE: system logging is not

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:

The fact that most of those files are empty(hacker like activity) and
there are no .1, .2 etc does not look good. Did you do something at
18:04?


No, not that I can think of.


  Run a netstat and see what/who you are listening for or connected to.


$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
216.238.192.133 0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         216.238.192.133 0.0.0.0         UG        0 0          0 ppp0
$

Look normal, doesn't it?


  Wtmp is time stamped 1.5 hrs later. Run last, it might
tell you who was there or what id was compromised.


]$ sudo last
marty    pts/0        nosoup4u         Tue Feb 14 15:42   still logged in
marty    pts/0        nosoup4u         Mon Feb 13 20:41 - 22:05  (01:24)
root     pts/0        :0.0             Mon Feb 13 18:20 - 20:41  (02:20)
root     :0                            Mon Feb 13 18:20 - 18:46  (00:25)
reboot   system boot  2.4.20-8         Mon Feb 13 18:18          (21:39)
reboot   system boot  2.4.20-8         Mon Feb 13 18:14          (21:43)
marty    pts/1        :0.0             Mon Feb 13 18:06 - down   (00:06)
marty    :0                            Mon Feb 13 18:06 - down   (00:06)
marty    pts/0        nosoup4u         Mon Feb 13 18:05 - down   (00:07)
reboot   system boot  2.4.20-8         Mon Feb 13 18:04          (00:08)

wtmp begins Mon Feb 13 18:04:26 2006
$

BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.


 Look in /tmp for anything unusual.  Isolate it from your network.


$ ls -al /tmp
total 572
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 .
drwxr-xr-x  20 root     root         4096 Feb 13 18:33 ..
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .ICE-unix
-r--r--r--   1 root     root           11 Feb 13 18:46 .X0-lock
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .X11-unix
srwx------   1 root     nobody          0 Feb 13 18:20 .fam_socket
drwxrwxrwt   2 xfs      xfs          4096 Feb 13 18:19 .font-unix
srw-rw-rw-   1 root     root            0 Feb 13 18:19 .gdm_socket
-rw-rw-rw-   1 root     root       464160 Feb 10 10:04 irc.tar.gz
drwx------   2 joel     users        4096 Dec  5 16:27 orbit-joel
drwx------   2 marty    marty       12288 Feb 13 18:13 orbit-marty
drwx------   2 root     root        12288 Feb 13 18:46 orbit-root
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 samba
-rwxr--r--   1 root     root        44377 Feb 13 18:41 scrollkeeper-tempfile.0
drwx------   2 marty    marty        4096 Dec 11 18:49 ssh-XXRI9PKz
drwx------   2 root     root         4096 Jan  3 13:32 ssh-XXgHv7Ve
drwxrwxrwt   3 marty    marty        4096 Jan 26 19:04 uscreens
[marty@BANYAN ~]$ ls -al /tmp/samba
total 8
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 .
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 ..
$


Good luck.
I removed everything on /tmp and rebooted, system still can't create /var/log/messages. It also is now unable to start X-Windows on the console. What might I do next here? 

Marty




-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Marty Landman
Sent: Monday, February 13, 2006 8:10 PM
To: redhat-list@xxxxxxxxxx
Subject: system logging is not


My RH9 gateway suddenly seems to have developed some problems today. The

only thing special I recall doing was to change from a netgear hub to a
linksys switch and add an 8th box to my lan. There is also a netgear
switch
to which this box is plugged in which used to uplink to the netgear hub
but
now uplinks to the linksys switch. All 8 computers were visible from my
Win
xp workstation after doing that btw.

Later I noticed that samba didn't seem to be working on my Win XP
workstation - although it can SSH to the RH box. And it's still
functioning
as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
that
a kosher name btw?) evidence of attempted break-ins from a day or two
ago.

So not knowing what else to do I rebooted - windows user instinct :).
Noticed during the reboot that system logging and httpd startup both
FAILED. OTOH using Nautilus from the console I could find the other 7
computers on the network, but not this computer itself.

Here's some shell stuff that I think illustrates some of what's going
on:

[marty@BANYAN ~]$ pwd
/home/marty
[marty@BANYAN ~]$ ls -al /var/log
total 324
drwxr-xr-x   2 root     root         4096 Feb 13 18:46 .
drwxr-xr-x  21 root     root         4096 Jul 30  2005 ..
-rw-r--r--   1 root     root        28509 Feb 13 18:46 XFree86.0.log
-rw-r--r--   1 root     root        28584 Feb 13 18:20 XFree86.0.log.old
-rw-------   1 root     root            0 Feb 13 18:04 boot.log
-rw-------   1 root     root            0 Feb 13 18:04 cron
-rw-r--r--   1 root     root         6532 Feb 13 18:18 dmesg
-rw-r--r--   1 root     root        65631 Feb 13 18:18 ksyms.0
-rw-r--r--   1 root     root        65631 Feb 13 18:14 ksyms.1
-rw-r--r--   1 root     root        65631 Feb 13 18:04 ksyms.2
-rw-------   1 root     root            0 Feb 13 18:04 maillog
-rw-------   1 root     root            0 Feb 13 18:04 messages
-rw-------   1 root     root            0 Feb 13 18:04 secure
-rw-------   1 root     root            0 Feb 13 18:04 spooler
-rw-------   1 root     root          315 Feb 13 18:12 sudolog
-rw-rw-r--   1 root     utmp        30336 Feb 13 20:41 wtmp
[marty@BANYAN ~]$ df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/hdd1              5278644   2073532   2936972  42% /
/dev/hda1                99251      9324     84802  10% /boot
none                    127664         0    127664   0% /dev/shm
/dev/hda2              4035432     33080   3797360   1% /mnt/kramer
/dev/hdb1            241263968  32998936 196009448  15% /mnt/maestro
[marty@BANYAN ~]$ top
top: error while loading shared libraries: libncurses.so.4: cannot open
shared object file: No such file or directory
[marty@BANYAN ~]$


-----------------------------------------------

At this point I wonder if my computer's been hijacked or somehow
corrupted.
Either way not sure what do to next.

Thanks in advance,

Marty


Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal 
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux