system logging is not
McDougall, Marshall (FSH)
MarMcDouga at gov.mb.ca
Wed Feb 15 16:15:42 UTC 2006
Netstat -rn is just giving your routing tables. Use -an to get all the
listening/established connections. What does /etc/syslog.conf look
like?
The questions I'm asking are more to figure out what happened. IMHO,
the fix, because of the potential compromise, is to wipe it and start
from scratch.
Regards, Marshall
-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
Sent: Wednesday, February 15, 2006 6:28 AM
To: General Red Hat Linux discussion list
Subject: RE: system logging is not
At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:
>The fact that most of those files are empty(hacker like activity) and
>there are no .1, .2 etc does not look good. Did you do something at
>18:04?
No, not that I can think of.
> Run a netstat and see what/who you are listening for or connected
to.
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
216.238.192.133 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 216.238.192.133 0.0.0.0 UG 0 0 0
ppp0
$
Look normal, doesn't it?
> Wtmp is time stamped 1.5 hrs later. Run last, it might
>tell you who was there or what id was compromised.
]$ sudo last
marty pts/0 nosoup4u Tue Feb 14 15:42 still logged
in
marty pts/0 nosoup4u Mon Feb 13 20:41 - 22:05 (01:24)
root pts/0 :0.0 Mon Feb 13 18:20 - 20:41 (02:20)
root :0 Mon Feb 13 18:20 - 18:46 (00:25)
reboot system boot 2.4.20-8 Mon Feb 13 18:18 (21:39)
reboot system boot 2.4.20-8 Mon Feb 13 18:14 (21:43)
marty pts/1 :0.0 Mon Feb 13 18:06 - down (00:06)
marty :0 Mon Feb 13 18:06 - down (00:06)
marty pts/0 nosoup4u Mon Feb 13 18:05 - down (00:07)
reboot system boot 2.4.20-8 Mon Feb 13 18:04 (00:08)
wtmp begins Mon Feb 13 18:04:26 2006
$
BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.
> Look in /tmp for anything unusual. Isolate it from your network.
$ ls -al /tmp
total 572
drwxrwxrwt 12 root root 4096 Feb 14 04:02 .
drwxr-xr-x 20 root root 4096 Feb 13 18:33 ..
drwxrwxrwt 2 root root 4096 Feb 13 18:46 .ICE-unix
-r--r--r-- 1 root root 11 Feb 13 18:46 .X0-lock
drwxrwxrwt 2 root root 4096 Feb 13 18:46 .X11-unix
srwx------ 1 root nobody 0 Feb 13 18:20 .fam_socket
drwxrwxrwt 2 xfs xfs 4096 Feb 13 18:19 .font-unix
srw-rw-rw- 1 root root 0 Feb 13 18:19 .gdm_socket
-rw-rw-rw- 1 root root 464160 Feb 10 10:04 irc.tar.gz
drwx------ 2 joel users 4096 Dec 5 16:27 orbit-joel
drwx------ 2 marty marty 12288 Feb 13 18:13 orbit-marty
drwx------ 2 root root 12288 Feb 13 18:46 orbit-root
drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 samba
-rwxr--r-- 1 root root 44377 Feb 13 18:41
scrollkeeper-tempfile.0
drwx------ 2 marty marty 4096 Dec 11 18:49 ssh-XXRI9PKz
drwx------ 2 root root 4096 Jan 3 13:32 ssh-XXgHv7Ve
drwxrwxrwt 3 marty marty 4096 Jan 26 19:04 uscreens
[marty at BANYAN ~]$ ls -al /tmp/samba
total 8
drwxr-xr-x 2 marty marty 4096 Dec 3 15:06 .
drwxrwxrwt 12 root root 4096 Feb 14 04:02 ..
$
>Good luck.
I removed everything on /tmp and rebooted, system still can't create
/var/log/messages. It also is now unable to start X-Windows on the
console.
What might I do next here?
Marty
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
>Sent: Monday, February 13, 2006 8:10 PM
>To: redhat-list at redhat.com
>Subject: system logging is not
>
>
>My RH9 gateway suddenly seems to have developed some problems today.
The
>
>only thing special I recall doing was to change from a netgear hub to a
>linksys switch and add an 8th box to my lan. There is also a netgear
>switch
>to which this box is plugged in which used to uplink to the netgear hub
>but
>now uplinks to the linksys switch. All 8 computers were visible from my
>Win
>xp workstation after doing that btw.
>
>Later I noticed that samba didn't seem to be working on my Win XP
>workstation - although it can SSH to the RH box. And it's still
>functioning
>as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
>that
>a kosher name btw?) evidence of attempted break-ins from a day or two
>ago.
>
>So not knowing what else to do I rebooted - windows user instinct :).
>Noticed during the reboot that system logging and httpd startup both
>FAILED. OTOH using Nautilus from the console I could find the other 7
>computers on the network, but not this computer itself.
>
>Here's some shell stuff that I think illustrates some of what's going
>on:
>
>[marty at BANYAN ~]$ pwd
>/home/marty
>[marty at BANYAN ~]$ ls -al /var/log
>total 324
>drwxr-xr-x 2 root root 4096 Feb 13 18:46 .
>drwxr-xr-x 21 root root 4096 Jul 30 2005 ..
>-rw-r--r-- 1 root root 28509 Feb 13 18:46 XFree86.0.log
>-rw-r--r-- 1 root root 28584 Feb 13 18:20
XFree86.0.log.old
>-rw------- 1 root root 0 Feb 13 18:04 boot.log
>-rw------- 1 root root 0 Feb 13 18:04 cron
>-rw-r--r-- 1 root root 6532 Feb 13 18:18 dmesg
>-rw-r--r-- 1 root root 65631 Feb 13 18:18 ksyms.0
>-rw-r--r-- 1 root root 65631 Feb 13 18:14 ksyms.1
>-rw-r--r-- 1 root root 65631 Feb 13 18:04 ksyms.2
>-rw------- 1 root root 0 Feb 13 18:04 maillog
>-rw------- 1 root root 0 Feb 13 18:04 messages
>-rw------- 1 root root 0 Feb 13 18:04 secure
>-rw------- 1 root root 0 Feb 13 18:04 spooler
>-rw------- 1 root root 315 Feb 13 18:12 sudolog
>-rw-rw-r-- 1 root utmp 30336 Feb 13 20:41 wtmp
>[marty at BANYAN ~]$ df
>Filesystem 1K-blocks Used Available Use% Mounted on
>/dev/hdd1 5278644 2073532 2936972 42% /
>/dev/hda1 99251 9324 84802 10% /boot
>none 127664 0 127664 0% /dev/shm
>/dev/hda2 4035432 33080 3797360 1% /mnt/kramer
>/dev/hdb1 241263968 32998936 196009448 15% /mnt/maestro
>[marty at BANYAN ~]$ top
>top: error while loading shared libraries: libncurses.so.4: cannot open
>shared object file: No such file or directory
>[marty at BANYAN ~]$
>
>
>-----------------------------------------------
>
>At this point I wonder if my computer's been hijacked or somehow
>corrupted.
>Either way not sure what do to next.
>
>Thanks in advance,
>
>Marty
>
>
>Marty Landman, Face 2 Interface Inc. 845-679-9387
>Webmaster's Bulletin Board: http://bbs.face2interface.com/
>Web Installed Formmail: http://face2interface.com/formINSTal
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list