Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-05-2004, 10:01 AM   #1
LQ Newbie
Registered: Oct 2003
Posts: 15

Rep: Reputation: 0
locating log showing hacking?

Recently, I had a knucklehead try to hack my server. The LogWatch report showed he/she tried to get in. I did a whois on the ip, and notified the ISP. They want to see my log file. I have checked access_log, error_log, messages, and secure, and can't find it. Does LogWatch look for these types of hacks in a different log? I am running Fedore Core2.

thanks in advance!
--------------------- httpd Begin ------------------------

1.32 MB transfered in 247 responses (1xx 0, 2xx 180, 3xx 33, 4xx 34, 5xx 0)
101 Images (525024 bytes),
0 Documents (0 bytes),
0 Archives (0 bytes),
0 Sound files (0 bytes),
0 Movies files (0 bytes),
16 Windows executable files (4881 bytes),
108 Content pages (650504 bytes),
3 Redirects (648 bytes),
0 Proxy Configuration Files (0 bytes),
0 Program source files (0 bytes),
0 CD Images (0 bytes),
19 Other (200615 bytes)

Attempts to use 3 known hacks were logged 32 time(s)
cmd.exe by 14 time(s)
\/c\+dir by 16 time(s)
root.exe by 2 time(s)

A total of 1 sites probed the server
Old 07-05-2004, 11:34 AM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
In fedora, you can find log messages in /var/log/messages , /var/log/secure and http-specific messages in /var/log/httpd/access_log

For what it's worth, those 32 known exploits are windows exploits. cmd.exe and root.exe are the windows command shell (actually root.exe is usually a copy of cmd.exe that is created by infection with code red windows worm). Probe/exploit attempts like the one you saw are very often automated scans by windows systems infected with the Nimda worm (another windows-only worm).


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM
web server hacked. sarin Linux - Security 12 10-05-2002 03:51 PM
pacpac has hacked my server. Help! 360 Linux - Security 10 04-22-2002 03:35 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:48 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration