LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Sudden problem with Syslog - missing entries to logs (https://www.linuxquestions.org/questions/linux-security-4/sudden-problem-with-syslog-missing-entries-to-logs-882188/)

baldur2630 05-23-2011 01:40 AM
Sudden problem with Syslog - missing entries to logs
 
CentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF

Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what!

Last night I got the following in my logwatch : -

Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
/favicon.ico: 8 Time(s)
/myadmin/scripts/setup.php: 1 Time(s)
/mysql/scripts/setup.php: 1 Time(s)
/mysqladmin/scripts/setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/phpadmin/scripts/setup.php: 1 Time(s)
/phpmyadmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/scripts/setup.php: 1 Time(s)
/sqlweb/scripts/setup.php: 1 Time(s)
/web/phpMyAdmin/scripts/setup.php: 1 Time(s)
/web/phpmyadmin/scripts/setup.php: 1 Time(s)
/web/scripts/setup.php: 1 Time(s)
/webadmin/scripts/setup.php: 1 Time(s)
/webdb/scripts/setup.php: 1 Time(s)
/websql/scripts/setup.php: 1 Time(s)

The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.

Can anyone tell me what I've done wrong or what I should be checking?

Noway2 05-23-2011 08:06 PM
Did the logs perhaps get rolled over by logrotate? Check in the <log-file>.1 entries and the .gz archives. In case you haven't already, as root, you may be able to simply grep (use grep -i to ignore case) for the terms of interest. You might also want to see when the logs were last modified and how many of them were modified at or around the same time. While it is fairly unlikely that you are dealing with something nefarious, missing entries from logs is one of those things that should cause you to take notice of and investigate.

vkvs 05-23-2011 09:51 PM
I have experienced that myself, so now all my logs are sent to my little syslog server at home :) Nobody can touch it here :P


All times are GMT -5. The time now is 04:22 AM.