system logging is not

Alfred Hovdestad alfred.hovdestad at usask.ca
Wed Feb 15 15:17:33 UTC 2006


One thing to check is that you have available i-nodes.  What is the 
output from df -i?

    Alfred Hovdestad, RHCE
    University of Saskatchewan


Marty Landman wrote:
> At 09:50 AM 2/14/2006, McDougall, Marshall (FSH) wrote:
> 
>> The fact that most of those files are empty(hacker like activity) and
>> there are no .1, .2 etc does not look good. Did you do something at
>> 18:04?
> 
> 
> No, not that I can think of.
> 
>>   Run a netstat and see what/who you are listening for or connected to.
> 
> 
> $ netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt 
> Iface
> 216.238.192.133 0.0.0.0         255.255.255.255 UH        0 0          0 
> ppp0
> 192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 
> eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
> 0.0.0.0         216.238.192.133 0.0.0.0         UG        0 0          0 
> ppp0
> $
> 
> Look normal, doesn't it?
> 
>>   Wtmp is time stamped 1.5 hrs later. Run last, it might
>> tell you who was there or what id was compromised.
> 
> 
> ]$ sudo last
> marty    pts/0        nosoup4u         Tue Feb 14 15:42   still logged in
> marty    pts/0        nosoup4u         Mon Feb 13 20:41 - 22:05  (01:24)
> root     pts/0        :0.0             Mon Feb 13 18:20 - 20:41  (02:20)
> root     :0                            Mon Feb 13 18:20 - 18:46  (00:25)
> reboot   system boot  2.4.20-8         Mon Feb 13 18:18          (21:39)
> reboot   system boot  2.4.20-8         Mon Feb 13 18:14          (21:43)
> marty    pts/1        :0.0             Mon Feb 13 18:06 - down   (00:06)
> marty    :0                            Mon Feb 13 18:06 - down   (00:06)
> marty    pts/0        nosoup4u         Mon Feb 13 18:05 - down   (00:07)
> reboot   system boot  2.4.20-8         Mon Feb 13 18:04          (00:08)
> 
> wtmp begins Mon Feb 13 18:04:26 2006
> $
> 
> BTW nosoup4u is my Windows workstation - I'm ssh'd into the RH box.
> 
>>  Look in /tmp for anything unusual.  Isolate it from your network.
> 
> 
> $ ls -al /tmp
> total 572
> drwxrwxrwt  12 root     root         4096 Feb 14 04:02 .
> drwxr-xr-x  20 root     root         4096 Feb 13 18:33 ..
> drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .ICE-unix
> -r--r--r--   1 root     root           11 Feb 13 18:46 .X0-lock
> drwxrwxrwt   2 root     root         4096 Feb 13 18:46 .X11-unix
> srwx------   1 root     nobody          0 Feb 13 18:20 .fam_socket
> drwxrwxrwt   2 xfs      xfs          4096 Feb 13 18:19 .font-unix
> srw-rw-rw-   1 root     root            0 Feb 13 18:19 .gdm_socket
> -rw-rw-rw-   1 root     root       464160 Feb 10 10:04 irc.tar.gz
> drwx------   2 joel     users        4096 Dec  5 16:27 orbit-joel
> drwx------   2 marty    marty       12288 Feb 13 18:13 orbit-marty
> drwx------   2 root     root        12288 Feb 13 18:46 orbit-root
> drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 samba
> -rwxr--r--   1 root     root        44377 Feb 13 18:41 
> scrollkeeper-tempfile.0
> drwx------   2 marty    marty        4096 Dec 11 18:49 ssh-XXRI9PKz
> drwx------   2 root     root         4096 Jan  3 13:32 ssh-XXgHv7Ve
> drwxrwxrwt   3 marty    marty        4096 Jan 26 19:04 uscreens
> [marty at BANYAN ~]$ ls -al /tmp/samba
> total 8
> drwxr-xr-x   2 marty    marty        4096 Dec  3 15:06 .
> drwxrwxrwt  12 root     root         4096 Feb 14 04:02 ..
> $
> 
>> Good luck.
> 
> 
> I removed everything on /tmp and rebooted, system still can't create 
> /var/log/messages. It also is now unable to start X-Windows on the 
> console. What might I do next here?
> 
> Marty
> 
> 
> 
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Marty Landman
>> Sent: Monday, February 13, 2006 8:10 PM
>> To: redhat-list at redhat.com
>> Subject: system logging is not
>>
>>
>> My RH9 gateway suddenly seems to have developed some problems today. The
>>
>> only thing special I recall doing was to change from a netgear hub to a
>> linksys switch and add an 8th box to my lan. There is also a netgear
>> switch
>> to which this box is plugged in which used to uplink to the netgear hub
>> but
>> now uplinks to the linksys switch. All 8 computers were visible from my
>> Win
>> xp workstation after doing that btw.
>>
>> Later I noticed that samba didn't seem to be working on my Win XP
>> workstation - although it can SSH to the RH box. And it's still
>> functioning
>> as my LAN gateway. Saw a bunch of attempts on /var/log/samba/.log (is
>> that
>> a kosher name btw?) evidence of attempted break-ins from a day or two
>> ago.
>>
>> So not knowing what else to do I rebooted - windows user instinct :).
>> Noticed during the reboot that system logging and httpd startup both
>> FAILED. OTOH using Nautilus from the console I could find the other 7
>> computers on the network, but not this computer itself.
>>
>> Here's some shell stuff that I think illustrates some of what's going
>> on:
>>
>> [marty at BANYAN ~]$ pwd
>> /home/marty
>> [marty at BANYAN ~]$ ls -al /var/log
>> total 324
>> drwxr-xr-x   2 root     root         4096 Feb 13 18:46 .
>> drwxr-xr-x  21 root     root         4096 Jul 30  2005 ..
>> -rw-r--r--   1 root     root        28509 Feb 13 18:46 XFree86.0.log
>> -rw-r--r--   1 root     root        28584 Feb 13 18:20 XFree86.0.log.old
>> -rw-------   1 root     root            0 Feb 13 18:04 boot.log
>> -rw-------   1 root     root            0 Feb 13 18:04 cron
>> -rw-r--r--   1 root     root         6532 Feb 13 18:18 dmesg
>> -rw-r--r--   1 root     root        65631 Feb 13 18:18 ksyms.0
>> -rw-r--r--   1 root     root        65631 Feb 13 18:14 ksyms.1
>> -rw-r--r--   1 root     root        65631 Feb 13 18:04 ksyms.2
>> -rw-------   1 root     root            0 Feb 13 18:04 maillog
>> -rw-------   1 root     root            0 Feb 13 18:04 messages
>> -rw-------   1 root     root            0 Feb 13 18:04 secure
>> -rw-------   1 root     root            0 Feb 13 18:04 spooler
>> -rw-------   1 root     root          315 Feb 13 18:12 sudolog
>> -rw-rw-r--   1 root     utmp        30336 Feb 13 20:41 wtmp
>> [marty at BANYAN ~]$ df
>> Filesystem           1K-blocks      Used Available Use% Mounted on
>> /dev/hdd1              5278644   2073532   2936972  42% /
>> /dev/hda1                99251      9324     84802  10% /boot
>> none                    127664         0    127664   0% /dev/shm
>> /dev/hda2              4035432     33080   3797360   1% /mnt/kramer
>> /dev/hdb1            241263968  32998936 196009448  15% /mnt/maestro
>> [marty at BANYAN ~]$ top
>> top: error while loading shared libraries: libncurses.so.4: cannot open
>> shared object file: No such file or directory
>> [marty at BANYAN ~]$
>>
>>
>> -----------------------------------------------
>>
>> At this point I wonder if my computer's been hijacked or somehow
>> corrupted.
>> Either way not sure what do to next.
>>
>> Thanks in advance,
>>
>> Marty
>>
>>
>> Marty Landman, Face 2 Interface Inc. 845-679-9387
>> Webmaster's Bulletin Board: http://bbs.face2interface.com/
>> Web Installed Formmail: http://face2interface.com/formINSTal
>>
>> -- 
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> -- 
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> Marty Landman, Face 2 Interface Inc. 845-679-9387
> Webmaster's Bulletin Board: http://bbs.face2interface.com/
> Web Installed Formmail: http://face2interface.com/formINSTal 




More information about the redhat-list mailing list