[Wftl-lug] lastlog and syslogd weirdness

Mon Mar 12 08:55:47 PST 2001

Thanks Warren and Marcel, my current IP is 24.31.75.13. It's Roadrunner, so
it is dynamic.  You might want to let me know when/if you are going to scan
to make sure that I still have that IP and you don't scan the wrong person.

I think the disk problem is a more likely possibility, I'll check it out.
I'm not running a DNS server on that machine.

Nelson

-----Original Message-----
From: Warren Togami [mailto:warren at togami.com]
Sent: Monday, March 12, 2001 6:12 AM
To: garcian002 at hawaii.rr.com; luau at luau.hi.net
Subject: Fw: [Wftl-lug] lastlog and syslogd weirdness

Nelson,
I got this answer from a tech writer for Linux Journal magazine.  Please
e-mail back to the list if you want others to nmap your machine from the
outside.

----- Original Message -----
From: "Marcel (Free Thinker at Large) Gagne" <mggagne at salmar.com>
To: <wftl-lug at salmar.com>
Cc: "Warren Togami" <warren at togami.com>
Sent: Monday, March 12, 2001 5:09 AM
Subject: Re: [Wftl-lug] Fw: [luau] lastlog and syslogd weirdness

Hi Warren (and everyone else),

> This was posted to my local LUG mailing list.  Anybody here have any
> insight on this?  Please write back to warren at togami.com and I'll forward
> it back to the local LUG.

I'm going to skip repeating Nelson's entire post, but I wouln't be
completely
hasty in thinking that nothing had happened to my system, cracker-wise.  I
know he says he only has port 80 open, but perhaps it would be good of you
to
scan him from the outside.  Check with him first -- never, ever scan
somebody's network without their express permission.

Since he is running Mandrake, he can also run a verify on all his RPMs.
There are some like "net-tools", and "bind" that I would be particularly
wary
of.   A quick script I use when doing these types of checks follows.  Note
that those are back quotes on the first line.

for rpm_list in `rpm -qa | sort`
do
    echo "====== $rpm_list ====="
    rpm -V $rpm_list
done

That sorts all my RPMs, prints a nice separator with the package name, and
then verifies each one, with the report on that package below the header.
Obviously, some configuration files might have changed, but if you see a
binary show up in the list, you are in trouble.  If absolutely everything
checks out and no configuration files even show up as having been changed
(passwd, group, inetd.conf, printcap, and others), then you are likely still
in trouble.

By the way, I always redirect the output to a file for later viewing and put
the process into the background, by adding "> some_file_name &" .

The second possibility is that his disk is going.   Shut down to single user
mode and run fsck on all the partitions.  I would start with the RPM check,
however.

Later, eh.

--

Marcel (Writer and Free Thinker at Large) Gagne
Note: This massagee wos nat speel or gramer-checkered.
Mandatory home page reference - http://www.salmar.com/marcel/
Author : Linux System Administration, A User's Guide
(due 2001 from Addison Wesley)
_______________________________________________
Wftl-lug mailing list
Wftl-lug at salmar.com
http://www.salmar.com/mailman/listinfo/wftl-lug