Most likely you didn't get hacked. It looks like your logs rotated via
cron, as is SOP nowdays with Red Hat. I am not sure why syslogd restarted
so many times or why it isn't logging as it did before, though. I'd check
the following:
rpm -Va >rpmcheck and look at the rpmcheck file
/etc/passwd to see if anyone's been added
and things like that.
Also, make sure that you always install all of the security updates from
www.redhat.com/errata
Cindy
On Wed, 12 Jan 2000, srl wrote:
> Okay, i feel like a dumbass asking this one in public, but here goes.
>
> I've got a RH6.1 box at home connected to a MediaOne cable modem. It's not
> on all the time. I've been working on it when I can, trying to make it a
> masquerading firewall for my network. I haven't gotten to patching it yet
> (the updates posted on RH's website), but it hasn't been on that much.
> I've shut off pretty much every service it has.
>
> I have the packet filtering set up, enough that I can see people poking at
> it---- lots of spoofed packets from 5.0.0.4, port 65536, being denied by
> my system. Whee, I thought, my firewall works. ('course, it's not
> connected to anything yet, but that's another story....)
>
> So i left it on for a few hours last weekend, left the house and came
> back. When I came back, the window i had running tail-f /var/log/messages
> registered some of the usual poking (as above), at system time 4:01:05.
>
> A bit later, while doing something else entirely, i noticed that the logs
> had cycled; the old /var/log/messages was now /var/log/messages.1, and
> there were.. 6 or so "syslogd restarted" messages from around 4:01:20. I
> didn't restart syslogd, and if i had it wouldn't have been 6 times.
> There are no packet-denied records in the log after that.
>
> I looked in the cron files to see whether the logs are supposed to be
> cycling, and they're not, at least as far as i can tell. (and even if they
> were set up to cycle, that wouldn't necessitate restarting syslogd, would
> it?)
>
> Does this necessarily mean my system's been compromised? If so, is
> there any way I can tell?
>
> srl
>
>
> ************
> [EMAIL PROTECTED] http://www.linuxchix.org
>
Cynthia J. Dale
Technical Engineer/FAQ maintainer
Red Hat, Inc.
fnord.
************
[EMAIL PROTECTED] http://www.linuxchix.org
