LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-05-2004, 10:01 AM   #1
php4u
LQ Newbie
 
Registered: Oct 2003
Posts: 15

Rep: Reputation: 0
locating log showing hacking?


Recently, I had a knucklehead try to hack my server. The LogWatch report showed he/she tried to get in. I did a whois on the ip, and notified the ISP. They want to see my log file. I have checked access_log, error_log, messages, and secure, and can't find it. Does LogWatch look for these types of hacks in a different log? I am running Fedore Core2.

thanks in advance!
Ralph
--------------------------------------
--------------------- httpd Begin ------------------------

1.32 MB transfered in 247 responses (1xx 0, 2xx 180, 3xx 33, 4xx 34, 5xx 0)
101 Images (525024 bytes),
0 Documents (0 bytes),
0 Archives (0 bytes),
0 Sound files (0 bytes),
0 Movies files (0 bytes),
16 Windows executable files (4881 bytes),
108 Content pages (650504 bytes),
3 Redirects (648 bytes),
0 Proxy Configuration Files (0 bytes),
0 Program source files (0 bytes),
0 CD Images (0 bytes),
19 Other (200615 bytes)

Attempts to use 3 known hacks were logged 32 time(s)
cmd.exe by
66.47.226.71 14 time(s)
\/c\+dir by
66.47.226.71 16 time(s)
root.exe by
66.47.226.71 2 time(s)

A total of 1 sites probed the server
66.47.226.71
 
Old 07-05-2004, 11:34 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
In fedora, you can find log messages in /var/log/messages , /var/log/secure and http-specific messages in /var/log/httpd/access_log

For what it's worth, those 32 known exploits are windows exploits. cmd.exe and root.exe are the windows command shell (actually root.exe is usually a copy of cmd.exe that is created by infection with code red windows worm). Probe/exploit attempts like the one you saw are very often automated scans by windows systems infected with the Nimda worm (another windows-only worm).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM


All times are GMT -5. The time now is 08:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration