<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Help with log analysis please</TITLE>
<META content="text/html; charset=iso-8859-1" http-equiv=CONTENT-TYPE>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<META content=20010730;18142200 name=CREATED>
<META content="Ben Beeson" name=CHANGEDBY>
<META content=20010730;19174100 name=CHANGED></HEAD>
<BODY>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=790482205-31072001>Ben,
even though I can't help you with this i would like to know the resolution, so
even if you do send it to someone on the list privately will you change it up
enough, to protect the innocent as Warren puts it, to let me see how this is
done also?</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=790482205-31072001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=790482205-31072001>Jon</SPAN></FONT></DIV>
<BLOCKQUOTE>
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> beesond001@hawaii.rr.com
[mailto:beesond001@hawaii.rr.com]<BR><B>Sent:</B> Monday, July 30, 2001 9:18
PM<BR><B>To:</B> Linux & Unix Advocates & Users<BR><B>Subject:</B>
[luau] Help with log analysis please<BR><BR></DIV></FONT>
<P>To all, </P>
<P>As I was going through some of my logs today I noticed something curious
and as I began digging deeper, I began to get that sinking feeling. Now, I am
no expert, and I would sure appreciate it if you guys could help me decipher
this and tell me if my hunch is correct. My hunch is that the following IP
addresses have borrowed my computer to try and visit a few web sites with...
My other hunch is that I should have caught it sooner, but that is a different
story...</P>
<P>65.34.103.143 - - [30/Jul/2001:01:18:11 -1000] "GET http://www.s3.com/
HTTP/1.1" 404 301</P>
<P>61.144.144.190 - - [19/Jul/2001:00:37:47 -1000] "GET http://www.yahoo.com/
HTTP/1.1" 404 304</P>
<P>61.144.141.144 - - [20/Jul/2001:23:50:25 -1000] "GET http://www.yahoo.com/
HTTP/1.1" 404 304 </P>
<P>128.132.37.68 - - [07/Jul/2001:06:42:54 -1000] "GET
http://www.mpogd.com/gotm/ HTTP/1.1" 404 309</P>
<P>Now just for grins I ran "last" and no one here was logged in at these
times. </P>
<P>Now, I have also noticed a bunch of chicanery in my logs this month, and it
appears that my firewall has stopped all the stuff I see in /var/log/messages.
This stuff showed up elsewhere and now I am beginning to feel that something a
little more is up. </P>
<P>What I would like is if someone could provide me some tips for figuring out
how these log entries appeared and what I should do to plug those holes. I
will be willing to share log files etc, but I don't wish to post them to the
list a) in their present form, and also b) to save a little space on the
server. </P>
<P><BR><BR></P>
<P>Thanks in advance,</P>
<P>Ben </P>--- You are currently subscribed to luau as: proteon@gci.net To
unsubscribe send a blank email to
$subst('Email.Unsub')</BLOCKQUOTE></BODY></HTML>