Help with log analysis please

Jon Reynolds proteon at gci.net
Mon Jul 30 22:24:35 PDT 2001 

Help with log analysis pleaseBen, even though I can't help you with this i
would like to know the resolution, so even if you do send it to someone on
the list privately will you change it up enough, to protect the innocent as
Warren puts it, to let me see how this is done also?

Jon
  -----Original Message-----
  From: beesond001 at hawaii.rr.com [mailto:beesond001 at hawaii.rr.com]
  Sent: Monday, July 30, 2001 9:18 PM
  To: Linux & Unix Advocates & Users
  Subject: [luau] Help with log analysis please


  To all,

  As I was going through some of my logs today I noticed something curious
and as I began digging deeper, I began to get that sinking feeling. Now, I
am no expert, and I would sure appreciate it if you guys could help me
decipher this and tell me if my hunch is correct. My hunch is that the
following IP addresses have borrowed my computer to try and visit a few web
sites with... My other hunch is that I should have caught it sooner, but
that is a different story...

  65.34.103.143 - - [30/Jul/2001:01:18:11 -1000] "GET http://www.s3.com/
HTTP/1.1" 404 301

  61.144.144.190 - - [19/Jul/2001:00:37:47 -1000] "GET http://www.yahoo.com/
HTTP/1.1" 404 304

  61.144.141.144 - - [20/Jul/2001:23:50:25 -1000] "GET http://www.yahoo.com/
HTTP/1.1" 404 304

  128.132.37.68 - - [07/Jul/2001:06:42:54 -1000] "GET
http://www.mpogd.com/gotm/ HTTP/1.1" 404 309

  Now just for grins I ran "last" and no one here was logged in at these
times.

  Now, I have also noticed a bunch of chicanery in my logs this month, and
it appears that my firewall has stopped all the stuff I see in
/var/log/messages. This stuff showed up elsewhere and now I am beginning to
feel that something a little more is up.

  What I would like is if someone could provide me some tips for figuring
out how these log entries appeared and what I should do to plug those holes.
I will be willing to share log files etc, but I don't wish to post them to
the list a) in their present form, and also b) to save a little space on the
server.





  Thanks in advance,

  Ben

  --- You are currently subscribed to luau as: proteon at gci.net To
unsubscribe send a blank email to $subst('Email.Unsub')
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20010730/13adfc95/attachment-0001.htm>

More information about the LUAU mailing list