system logging is not

McDougall, Marshall (FSH) MarMcDouga at gov.mb.ca
Wed Feb 15 16:15:42 UTC 2006 

Netstat -rn is just giving your routing tables.  Use -an to get all the
listening/established connections.  What does /etc/syslog.conf look
like?  

The questions I'm asking are more to figure out what happened.  IMHO,
the fix, because of the potential compromise, is to wipe it and start
from scratch.

Regards, Marshall

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
Sent: Wednesday, February 15, 2006 6:28 AM
To: General Red Hat Linux discussion list
Subject: RE: system logging is not

At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:
>The fact that most of those files are empty(hacker like activity) and
>there are no .1, .2 etc does not look good. Did you do something at
>18:04?

No, not that I can think of.

>   Run a netstat and see what/who you are listening for or connected
to.

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
216.238.192.133 0.0.0.0         255.255.255.255 UH        0 0          0
ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0
lo
0.0.0.0         216.238.192.133 0.0.0.0         UG        0 0          0
ppp0
$

Look normal, doesn't it?

>   Wtmp is time stamped 1.5 hrs later. Run last, it might
>tell you who was there or what id was compromised.

]$ sudo last
marty    pts/0        nosoup4u         Tue Feb 14 15:42   still logged
in
marty    pts/0        nosoup4u         Mon Feb 13 20:41 - 22:05  (01:24)
root     pts/0        :0.0             Mon Feb 13 18:20 - 20:41  (02:20)
root     :0                            Mon Feb 13 18:20 - 18:46  (00:25)
reboot   system boot  2.4.20-8         Mon Feb 13 18:18          (21:39)
reboot   system boot  2.4.20-8         Mon Feb 13 18:14          (21:43)
marty    pts/1        :0.0             Mon Feb 13 18:06 - down   (00:06)
marty    :0                            Mon Feb 13 18:06 - down   (00:06)
marty    pts/0        nosoup4u         Mon Feb 13 18:05 - down   (00:07)
reboot   system boot  2.4.20-8         Mon Feb 13 18:04          (00:08)

wtmp begins Mon Feb 13 18:04:26 2006
$

BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.

>  Look in /tmp for anything unusual.  Isolate it from your network.

$ ls -al /tmp
total 572
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 .
drwxr-xr-x  20 root     root         4096 Feb 13 18:33 ..
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .ICE-unix
-r--r--r--   1 root     root           11 Feb 13 18:46 .X0-lock
drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .X11-unix
srwx------   1 root     nobody          0 Feb 13 18:20 .fam_socket
drwxrwxrwt   2 xfs      xfs          4096 Feb 13 18:19 .font-unix
srw-rw-rw-   1 root     root            0 Feb 13 18:19 .gdm_socket
-rw-rw-rw-   1 root     root       464160 Feb 10 10:04 irc.tar.gz
drwx------   2 joel     users        4096 Dec  5 16:27 orbit-joel
drwx------   2 marty    marty       12288 Feb 13 18:13 orbit-marty
drwx------   2 root     root        12288 Feb 13 18:46 orbit-root
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 samba
-rwxr--r--   1 root     root        44377 Feb 13 18:41
scrollkeeper-tempfile.0
drwx------   2 marty    marty        4096 Dec 11 18:49 ssh-XXRI9PKz
drwx------   2 root     root         4096 Jan  3 13:32 ssh-XXgHv7Ve
drwxrwxrwt   3 marty    marty        4096 Jan 26 19:04 uscreens
[marty at BANYAN ~]$ ls -al /tmp/samba
total 8
drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 .
drwxrwxrwt  12 root     root         4096 Feb 14 04:02 ..
$

>Good luck.

I removed everything on /tmp and rebooted, system still can't create 
/var/log/messages. It also is now unable to start X-Windows on the
console. 
What might I do next here?

Marty



>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
>Sent: Monday, February 13, 2006 8:10 PM
>To: redhat-list at redhat.com
>Subject: system logging is not
>
>
>My RH9 gateway suddenly seems to have developed some problems today.
The
>
>only thing special I recall doing was to change from a netgear hub to a
>linksys switch and add an 8th box to my lan. There is also a netgear
>switch
>to which this box is plugged in which used to uplink to the netgear hub
>but
>now uplinks to the linksys switch. All 8 computers were visible from my
>Win
>xp workstation after doing that btw.
>
>Later I noticed that samba didn't seem to be working on my Win XP
>workstation - although it can SSH to the RH box. And it's still
>functioning
>as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
>that
>a kosher name btw?) evidence of attempted break-ins from a day or two
>ago.
>
>So not knowing what else to do I rebooted - windows user instinct :).
>Noticed during the reboot that system logging and httpd startup both
>FAILED. OTOH using Nautilus from the console I could find the other 7
>computers on the network, but not this computer itself.
>
>Here's some shell stuff that I think illustrates some of what's going
>on:
>
>[marty at BANYAN ~]$ pwd
>/home/marty
>[marty at BANYAN ~]$ ls -al /var/log
>total 324
>drwxr-xr-x   2 root     root         4096 Feb 13 18:46 .
>drwxr-xr-x  21 root     root         4096 Jul 30  2005 ..
>-rw-r--r--   1 root     root        28509 Feb 13 18:46 XFree86.0.log
>-rw-r--r--   1 root     root        28584 Feb 13 18:20
XFree86.0.log.old
>-rw-------   1 root     root            0 Feb 13 18:04 boot.log
>-rw-------   1 root     root            0 Feb 13 18:04 cron
>-rw-r--r--   1 root     root         6532 Feb 13 18:18 dmesg
>-rw-r--r--   1 root     root        65631 Feb 13 18:18 ksyms.0
>-rw-r--r--   1 root     root        65631 Feb 13 18:14 ksyms.1
>-rw-r--r--   1 root     root        65631 Feb 13 18:04 ksyms.2
>-rw-------   1 root     root            0 Feb 13 18:04 maillog
>-rw-------   1 root     root            0 Feb 13 18:04 messages
>-rw-------   1 root     root            0 Feb 13 18:04 secure
>-rw-------   1 root     root            0 Feb 13 18:04 spooler
>-rw-------   1 root     root          315 Feb 13 18:12 sudolog
>-rw-rw-r--   1 root     utmp        30336 Feb 13 20:41 wtmp
>[marty at BANYAN ~]$ df
>Filesystem           1K-blocks      Used Available Use% Mounted on
>/dev/hdd1              5278644   2073532   2936972  42% /
>/dev/hda1                99251      9324     84802  10% /boot
>none                    127664         0    127664   0% /dev/shm
>/dev/hda2              4035432     33080   3797360   1% /mnt/kramer
>/dev/hdb1            241263968  32998936 196009448  15% /mnt/maestro
>[marty at BANYAN ~]$ top
>top: error while loading shared libraries: libncurses.so.4: cannot open
>shared object file: No such file or directory
>[marty at BANYAN ~]$
>
>
>-----------------------------------------------
>
>At this point I wonder if my computer's been hijacked or somehow
>corrupted.
>Either way not sure what do to next.
>
>Thanks in advance,
>
>Marty
>
>
>Marty Landman, Face 2 Interface Inc. 845-679-9387
>Webmaster's Bulletin Board: http://bbs.face2interface.com/
>Web Installed Formmail: http://face2interface.com/formINSTal
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list

Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal  

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list