[Gllug] compromised?
Bruce Richardson
itsbruce at uklinux.net
Mon Feb 24 01:00:42 UTC 2003
On Sun, Feb 23, 2003 at 10:34:50PM +0000, James wrote:
> Leigh Mason wrote:
>
> >Hi all
> >
> >I'm using Red hat 7.1 with the 2.2.16 kernel. A periodic check of
> >/var/log/messages has revealed:
> >
> >syslogd 1.3-3: restart
> >syslogd 1.3-3: restart
> >syslogd 1.3-3: restart
> >syslogd 1.3-3: restart
> >syslogd 1.3-3: restart
> >syslogd 1.3-3: restart
>
> >Could this mean the machine has been compromised in some way!?
> Suspicious, but not necessarily a hacked box. Something gone bad,
> certainly.
This is not at all certain. Check the cron jobs and you should find
that syslogd is restarting to allow log files to be rotated. If you
take another look at those log entries, you should see that they are
happening at almost exactly the same time each day, which should be your
clue to check crontab.
Basic (but essential) analytical skills called on, here. And a pointer
that it's good to check all the cron jobs (amongst other things) on your
system so that you know how your system/distribution is set up.
--
Bruce
What would Edward Woodward do?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 261 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030224/e59948a4/attachment.pgp>
More information about the GLLUG
mailing list