Log Files Have Been Deleted

Crashed_Again · 02-02-2003, 11:54 AM

I woke up this morning and the majority of my log files were deleted. Is this a cron job and if so how can I find out if it is?

MasterC · 02-02-2003, 12:15 PM

Look in your cron tab

Check in /etc for a cron folder. If there's several look into each one. Are you sure they weren't just moved to something like:
/var/log/messages.old or similar?

Cool

Crashed_Again · 02-02-2003, 12:32 PM

Think I found it. /etc/cron.daily/logrotate A simple 'man logrotate' showed that it cleans up log files. Just wanted to make sure no one cracked my system and then cleaned up there tracks. Thanks.

unSpawn · 02-02-2003, 12:36 PM

void() { msg="If you suspect a compromise disconnect you box from the 'net now. Audit your box using chkrootkit and Aide (or Samhain/tripwire). Search for files containing crontab entries like "* * * /path/to/file". Check your lastlog/wtmp and blast login entries." }

Read "Steps for Recovering from a UNIX or NT System Compromise" www.cert.org/tech_tips/root_compromise.html.

Good you resolved it. Please read the CERT doc anyway if you care.

Crashed_Again · 02-02-2003, 12:37 PM

Did chkroot and it came up with nothing.