LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-21-2004, 10:37 AM   #1
dsieme01
LQ Newbie
 
Registered: Sep 2003
Posts: 28

Rep: Reputation: 15
0 byte logs


I have a Redhat 7.3 system that has 0 byte logs for Secure, messages, spooler xferlog, maillog, bootlog. The files are their, just 0 bytes. The logs are not getting updated when I log in for example or the server is restarted. File date & size does not change. When I touch the log, it does update by the way.

I don't think it's been comprised yet but I welcome any ideas or tests I should perform.
 
Old 07-21-2004, 01:47 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Is syslog(d) running? :
ps aux | grep syslog
service syslog status
 
Old 07-21-2004, 02:45 PM   #3
dsieme01
LQ Newbie
 
Registered: Sep 2003
Posts: 28

Original Poster
Rep: Reputation: 15
that explains my logs. Now I have to figure out a kernel panic.

Thanks.
 
Old 07-21-2004, 09:13 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Having logging get mysteriously turned off AND kernel panics should raise a *major* red flag. Short of complete log deletion, it's suggestive of someone was attempting to avoid detection by subverting logging. The kernel panics can be a side-effect of exploitation or a buggy rootkit.

You should check roots bash history (just type "history" as root) and look for any commands that might have turn off logging. For the panics, first check the system logs to see what the actual panic message is, then if the cause still isn't clear try running chkrootkit or preferably rootkit hunter (newer versions of the suckit rootkit have the ability to avoid detection by chkrookit).

It's entirely possible that it's caused by something benign, but it definitely isn't something to take lightly until you are absolutely sure of the cause.
 
Old 07-22-2004, 10:51 AM   #5
dsieme01
LQ Newbie
 
Registered: Sep 2003
Posts: 28

Original Poster
Rep: Reputation: 15
History command showed commands that all looked good.

Very strange. I did run the check for root kits already and did not find anything. Any thing else that I should look for?
 
Old 07-22-2004, 11:13 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You might want to try skdetect and kern_check.c, otherwise I'd focus on trying to figure out the cause of the panics (what is the actual panic message?).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firefox logs user out? Where are error logs? case1984 Linux - General 0 10-09-2004 03:22 PM
Byte Benchmarks kiwi_bloke Linux - Software 1 08-17-2004 01:07 AM
C++ byte type exodist Programming 3 05-11-2004 06:02 PM
Separate firewall logs and general logs dominant Linux - General 3 04-20-2004 02:26 AM
backup byte-for-byte axion0917 Linux - Software 2 12-11-2003 06:01 PM


All times are GMT -5. The time now is 05:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration