Hi, I'm hoping that somebody can help me with think through a problem I've discovered with a mail server of ours. This is a machine running an up-to-date version of Debian lenny (started out as an etch machine that has been upgraded to lenny once lenny came out). Its a mailserver running Postfix.
All mail log files are handing by syslogd and mail logs get written to mail.log, mail.info, mail.err, mail.warn --- as well as to main syslog file. This morning I discovered that I am missing mail logs from 6:46AM on March 22 to 6:29AM on March 24. The information did get written to the mail logs during that time, because I viewed those logs last week. However, now these files are gone. I still have a copy in /var/log/syslog.6.gz. BTW, I maintain mail log files dating back to several days BEFORE the missing time period. I found this suspicious that log files would simply vanish. So, I immediately changed the machine passwords and locked down the host.allow file to limit access. Then, I installed chkrootkit, rkhunter, and unhide. None of these programs found anything odd. Everything appeared as it should. "last" shows no logins other than mine. The bash history file shows nothing out of the ordinary. Therefore, my original paranoia is beginning to subside. I can find nothing out of the ordinary on this machine other than two days worth of missing log files. Is it possible that during the daily syslog rotation that some log files were deleted somehow? Anybody ever seen this? Am I being too paranoid? Or not paranoid enough? I would love to blame this on the savelog cron job. Thanks, Bryan Walton -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
