Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-21-2004, 09:37 AM
|
#1
|
LQ Newbie
Registered: Sep 2003
Posts: 28
Rep:
|
0 byte logs
I have a Redhat 7.3 system that has 0 byte logs for Secure, messages, spooler xferlog, maillog, bootlog. The files are their, just 0 bytes. The logs are not getting updated when I log in for example or the server is restarted. File date & size does not change. When I touch the log, it does update by the way.
I don't think it's been comprised yet but I welcome any ideas or tests I should perform.
|
|
|
07-21-2004, 12:47 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Is syslog(d) running? :
ps aux | grep syslog
service syslog status
|
|
|
07-21-2004, 01:45 PM
|
#3
|
LQ Newbie
Registered: Sep 2003
Posts: 28
Original Poster
Rep:
|
that explains my logs. Now I have to figure out a kernel panic.
Thanks.
|
|
|
07-21-2004, 08:13 PM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Having logging get mysteriously turned off AND kernel panics should raise a *major* red flag. Short of complete log deletion, it's suggestive of someone was attempting to avoid detection by subverting logging. The kernel panics can be a side-effect of exploitation or a buggy rootkit.
You should check roots bash history (just type "history" as root) and look for any commands that might have turn off logging. For the panics, first check the system logs to see what the actual panic message is, then if the cause still isn't clear try running chkrootkit or preferably rootkit hunter (newer versions of the suckit rootkit have the ability to avoid detection by chkrookit).
It's entirely possible that it's caused by something benign, but it definitely isn't something to take lightly until you are absolutely sure of the cause.
|
|
|
07-22-2004, 09:51 AM
|
#5
|
LQ Newbie
Registered: Sep 2003
Posts: 28
Original Poster
Rep:
|
History command showed commands that all looked good.
Very strange. I did run the check for root kits already and did not find anything. Any thing else that I should look for?
|
|
|
07-22-2004, 10:13 AM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You might want to try skdetect and kern_check.c, otherwise I'd focus on trying to figure out the cause of the panics (what is the actual panic message?).
|
|
|
All times are GMT -5. The time now is 10:12 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|