suspicious var/log entry
This is a discussion on suspicious var/log entry within the Linux Security forums, part of the System Security and Security Related category; Aug 26 04:10:46 localhost syslogd 1.4.1: restart. Why was the log restarted? I was sound asleep, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-26-2007
|
|||
|
|||
suspicious var/log entry
Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
Why was the log restarted? I was sound asleep, so it wasn't me. Pointers/ideas/education appreciated. -- % Randy Yates % "So now it's getting late, %% Fuquay-Varina, NC % and those who hesitate %%% 919-577-9882 % got no one..." %%%% <yates@ieee.org> % 'Waterfall', *Face The Music*, ELO http://home.earthlink.net/~yatescr 
|
|
08-26-2007
|
|||
|
|||
|
Re: suspicious var/log entry
Randy Yates wrote:
> Aug 26 04:10:46 localhost syslogd 1.4.1: restart. > > Why was the log restarted? I was sound asleep, so it wasn't me. > > Pointers/ideas/education appreciated. Probably because the log was rotated. Ever notice those .1 .2 .3 .4 endings? It's gotta happen sometime.
|
|
08-26-2007
|
|||
|
|||
|
Re: suspicious var/log entry
In article <m3absepmfv.fsf@ieee.org>,
Randy Yates <yates@ieee.org> writes: >Aug 26 04:10:46 localhost syslogd 1.4.1: restart. > >Why was the log restarted? I was sound asleep, so it wasn't me. > >Pointers/ideas/education appreciated. man logrotate man cron -- These are my opinions, not necessarily my employer's. I hate spam.
|
|
08-28-2007
|
|||
|
|||
|
Re: suspicious var/log entry
On Aug 26, 8:25 am, Randy Yates <ya...@ieee.org> wrote:
> Aug 26 04:10:46 localhost syslogd 1.4.1: restart. > > Why was the log restarted? I was sound asleep, so it wasn't me. > > Pointers/ideas/education appreciated. > -- > % Randy Yates % "So now it's getting late, > %% Fuquay-Varina, NC % and those who hesitate > %%% 919-577-9882 % got no one..." > %%%% <ya...@ieee.org> % 'Waterfall', *Face The Music*, ELOhttp://home.earthlink.net/~yatescr Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''... Your system of some intruder(???) did this for you...
|
|
08-28-2007
|
|||
|
|||
|
Re: suspicious var/log entry
pedro.forum@gmail.com wrote:
> Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''... > Your system of some intruder(???) did this for you... I wouldn't be too quick to suspect an intruder in this case. Syslog rotation is standard practice and is configured with pretty much every current Linux distribution by default. Very likely "normal system self-maintenance" caused syslogd to close and re-open its log files after the files were rotated. Randy, "professional paranoia" is healthy for a sysadmin, but you need to understand what you should be paranoid about and *why*. If you don't understand, and are truly concerned for your system and what happens to it while you're sleeping (or otherwise "away"), remove it from the network at those times (assuming you're satisfied with the physical security surrounding it; otherwise you'll need to consider that as well). The first step is getting a handle on what is "normal" behaviour for your system. You won't be able to get that if you're busy worrying that it has been compromised, so start from a clean configuration on an isolated system, and work from there. Understand how to control (and monitor) access to your system (both physical and logical), and *then* connect it to a network. You'll know how to figure out what caused certain behaviour. -- ---------------------------------------------------------------------- Sylvain Robitaille syl@alcor.concordia.ca Systems and Network analyst Concordia University Instructional & Information Technology Montreal, Quebec, Canada ----------------------------------------------------------------------
|
|
09-08-2007
|
|||
|
|||
|
Re: suspicious var/log entry
On Sun, 26 Aug 2007 07:25:24 -0400, Randy Yates wrote:
> Aug 26 04:10:46 localhost syslogd 1.4.1: restart. > > Why was the log restarted? I was sound asleep, so it wasn't me. > > Pointers/ideas/education appreciated. cron runs daily at 04:02 AM by default. the script /etc/cron.daily/logrotate is the responsible party. After certain logfiles are rotated, ie: messages, <logrotate> restarts <syslogd>
|
|
09-10-2007
|
|||
|
|||
|
Re: suspicious var/log entry
john mckenna <pikiwiki@hushmail.com> writes:
> On Sun, 26 Aug 2007 07:25:24 -0400, Randy Yates wrote: > >> Aug 26 04:10:46 localhost syslogd 1.4.1: restart. >> >> Why was the log restarted? I was sound asleep, so it wasn't me. >> >> Pointers/ideas/education appreciated. > > > > cron runs daily at 04:02 AM by default. the script > /etc/cron.daily/logrotate is the responsible party. > After certain logfiles are rotated, ie: messages, > <logrotate> restarts <syslogd> Thanks John. That simple response explains everything. -- % Randy Yates % "I met someone who looks alot like you, %% Fuquay-Varina, NC % she does the things you do, %%% 919-577-9882 % but she is an IBM." %%%% <yates@ieee.org> % 'Yours Truly, 2095', *Time*, ELO http://home.earthlink.net/~yatescr
|
|
09-10-2007
|
|||
|
|||
|
Re: suspicious var/log entry
On Aug 28, 1:06 am, Sylvain Robitaille <s...@alcor.concordia.ca>
wrote: > pedro.fo...@gmail.com wrote: > > Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''... > > Your system of some intruder(???) did this for you... > > I wouldn't be too quick to suspect an intruder in this case. Syslog > rotation is standard practice and is configured with pretty much every > current Linux distribution by default. Very likely "normal system > self-maintenance" caused syslogd to close and re-open its log files > after the files were rotated. I misspell... The correct was "Your system OR some intruder"... R and F are too close at the keyboard And the intruder was just a joke...
|
Linear Mode
