LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2003, 11:54 AM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Log Files Have Been Deleted


I woke up this morning and the majority of my log files were deleted. Is this a cron job and if so how can I find out if it is?
 
Old 02-02-2003, 12:15 PM   #2
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 69
Look in your cron tab Check in /etc for a cron folder. If there's several look into each one. Are you sure they weren't just moved to something like:
/var/log/messages.old or similar?

Cool
 
Old 02-02-2003, 12:32 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Think I found it. /etc/cron.daily/logrotate A simple 'man logrotate' showed that it cleans up log files. Just wanted to make sure no one cracked my system and then cleaned up there tracks. Thanks.
 
Old 02-02-2003, 12:36 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
void() { msg="If you suspect a compromise disconnect you box from the 'net now. Audit your box using chkrootkit and Aide (or Samhain/tripwire). Search for files containing crontab entries like "* * * /path/to/file". Check your lastlog/wtmp and blast login entries." }

Read "Steps for Recovering from a UNIX or NT System Compromise" www.cert.org/tech_tips/root_compromise.html.

Good you resolved it. Please read the CERT doc anyway if you care.

Last edited by unSpawn; 02-02-2003 at 12:38 PM.
 
Old 02-02-2003, 12:37 PM   #5
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Did chkroot and it came up with nothing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 04:03 PM
Accidentally Deleted Everything In /var/log Joe Heng Slackware 3 12-23-2004 07:20 PM
recent attack via phpBB, log files deleted? accessed file system outside /home/ enzo250gto Linux - Security 8 12-17-2004 01:51 PM
[RHL 9.0] - Deleted all users, now I can't log in - PLEASE HELP! Fat_N_Furry Linux - General 3 08-01-2003 08:48 PM
Can log files be time stamped? (such as FTP login and transfer log files) bripage Linux - Networking 6 08-08-2002 10:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration