Netstat -rn is just giving your routing tables. Use -an to get all the listening/established connections. What does /etc/syslog.conf look like? The questions I'm asking are more to figure out what happened. IMHO, the fix, because of the potential compromise, is to wipe it and start from scratch. Regards, Marshall -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Marty Landman Sent: Wednesday, February 15, 2006 6:28 AM To: General Red Hat Linux discussion list Subject: RE: system logging is not At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote: >The fact that most of those files are empty(hacker like activity) and >there are no .1, .2 etc does not look good. Did you do something at >18:04? No, not that I can think of. > Run a netstat and see what/who you are listening for or connected to. $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 216.238.192.133 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 216.238.192.133 0.0.0.0 UG 0 0 0 ppp0 $ Look normal, doesn't it? > Wtmp is time stamped 1.5 hrs later. Run last, it might >tell you who was there or what id was compromised. ]$ sudo last marty pts/0 nosoup4u Tue Feb 14 15:42 still logged in marty pts/0 nosoup4u Mon Feb 13 20:41 - 22:05 (01:24) root pts/0 :0.0 Mon Feb 13 18:20 - 20:41 (02:20) root :0 Mon Feb 13 18:20 - 18:46 (00:25) reboot system boot 2.4.20-8 Mon Feb 13 18:18 (21:39) reboot system boot 2.4.20-8 Mon Feb 13 18:14 (21:43) marty pts/1 :0.0 Mon Feb 13 18:06 - down (00:06) marty :0 Mon Feb 13 18:06 - down (00:06) marty pts/0 nosoup4u Mon Feb 13 18:05 - down (00:07) reboot system boot 2.4.20-8 Mon Feb 13 18:04 (00:08) wtmp begins Mon Feb 13 18:04:26 2006 $ BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box. > Look in /tmp for anything unusual. Isolate it from your network. $ ls -al /tmp total 572 drwxrwxrwt 12 root root 4096 Feb 14 04:02 . drwxr-xr-x 20 root root 4096 Feb 13 18:33 .. drwxrwxrwt 2 root root 4096 Feb 13 18:46 .ICE-unix -r--r--r-- 1 root root 11 Feb 13 18:46 .X0-lock drwxrwxrwt 2 root root 4096 Feb 13 18:46 .X11-unix srwx------ 1 root nobody 0 Feb 13 18:20 .fam_socket drwxrwxrwt 2 xfs xfs 4096 Feb 13 18:19 .font-unix srw-rw-rw- 1 root root 0 Feb 13 18:19 .gdm_socket -rw-rw-rw- 1 root root 464160 Feb 10 10:04 irc.tar.gz drwx------ 2 joel users 4096 Dec 5 16:27 orbit-joel drwx------ 2 marty marty 12288 Feb 13 18:13 orbit-marty drwx------ 2 root root 12288 Feb 13 18:46 orbit-root drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 samba -rwxr--r-- 1 root root 44377 Feb 13 18:41 scrollkeeper-tempfile.0 drwx------ 2 marty marty 4096 Dec 11 18:49 ssh-XXRI9PKz drwx------ 2 root root 4096 Jan 3 13:32 ssh-XXgHv7Ve drwxrwxrwt 3 marty marty 4096 Jan 26 19:04 uscreens [marty@BANYAN ~]$ ls -al /tmp/samba total 8 drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 . drwxrwxrwt 12 root root 4096 Feb 14 04:02 .. $ >Good luck. I removed everything on /tmp and rebooted, system still can't create /var/log/messages. It also is now unable to start X-Windows on the console. What might I do next here? Marty >-----Original Message----- >From: redhat-list-bounces@xxxxxxxxxx >[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Marty Landman >Sent: Monday, February 13, 2006 8:10 PM >To: redhat-list@xxxxxxxxxx >Subject: system logging is not > > >My RH9 gateway suddenly seems to have developed some problems today. The > >only thing special I recall doing was to change from a netgear hub to a >linksys switch and add an 8th box to my lan. There is also a netgear >switch >to which this box is plugged in which used to uplink to the netgear hub >but >now uplinks to the linksys switch. All 8 computers were visible from my >Win >xp workstation after doing that btw. > >Later I noticed that samba didn't seem to be working on my Win XP >workstation - although it can SSH to the RH box. And it's still >functioning >as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is >that >a kosher name btw?) evidence of attempted break-ins from a day or two >ago. > >So not knowing what else to do I rebooted - windows user instinct :). >Noticed during the reboot that system logging and httpd startup both >FAILED. OTOH using Nautilus from the console I could find the other 7 >computers on the network, but not this computer itself. > >Here's some shell stuff that I think illustrates some of what's going >on: > >[marty@BANYAN ~]$ pwd >/home/marty >[marty@BANYAN ~]$ ls -al /var/log >total 324 >drwxr-xr-x 2 root root 4096 Feb 13 18:46 . >drwxr-xr-x 21 root root 4096 Jul 30 2005 .. >-rw-r--r-- 1 root root 28509 Feb 13 18:46 XFree86.0.log >-rw-r--r-- 1 root root 28584 Feb 13 18:20 XFree86.0.log.old >-rw------- 1 root root 0 Feb 13 18:04 boot.log >-rw------- 1 root root 0 Feb 13 18:04 cron >-rw-r--r-- 1 root root 6532 Feb 13 18:18 dmesg >-rw-r--r-- 1 root root 65631 Feb 13 18:18 ksyms.0 >-rw-r--r-- 1 root root 65631 Feb 13 18:14 ksyms.1 >-rw-r--r-- 1 root root 65631 Feb 13 18:04 ksyms.2 >-rw------- 1 root root 0 Feb 13 18:04 maillog >-rw------- 1 root root 0 Feb 13 18:04 messages >-rw------- 1 root root 0 Feb 13 18:04 secure >-rw------- 1 root root 0 Feb 13 18:04 spooler >-rw------- 1 root root 315 Feb 13 18:12 sudolog >-rw-rw-r-- 1 root utmp 30336 Feb 13 20:41 wtmp >[marty@BANYAN ~]$ df >Filesystem 1K-blocks Used Available Use% Mounted on >/dev/hdd1 5278644 2073532 2936972 42% / >/dev/hda1 99251 9324 84802 10% /boot >none 127664 0 127664 0% /dev/shm >/dev/hda2 4035432 33080 3797360 1% /mnt/kramer >/dev/hdb1 241263968 32998936 196009448 15% /mnt/maestro >[marty@BANYAN ~]$ top >top: error while loading shared libraries: libncurses.so.4: cannot open >shared object file: No such file or directory >[marty@BANYAN ~]$ > > >----------------------------------------------- > >At this point I wonder if my computer's been hijacked or somehow >corrupted. >Either way not sure what do to next. > >Thanks in advance, > >Marty > > >Marty Landman, Face 2 Interface Inc. 845-679-9387 >Webmaster's Bulletin Board: http://bbs.face2interface.com/ >Web Installed Formmail: http://face2interface.com/formINSTal > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list Marty Landman, Face 2 Interface Inc. 845-679-9387 Webmaster's Bulletin Board: http://bbs.face2interface.com/ Web Installed Formmail: http://face2interface.com/formINSTal -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
