<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Help with log analysis please</TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Linux)">
<META NAME="CREATED" CONTENT="20010730;18142200">
<META NAME="CHANGEDBY" CONTENT="Ben Beeson">
<META NAME="CHANGED" CONTENT="20010730;19174100">
</HEAD>
<BODY>
<P>To all,
</P>
<P> As I was going through some of my logs today I noticed something
curious and as I began digging deeper, I began to get that sinking
feeling. Now, I am no expert, and I would sure appreciate it if you
guys could help me decipher this and tell me if my hunch is correct.
My hunch is that the following IP addresses have borrowed my computer
to try and visit a few web sites with... My other hunch is that I
should have caught it sooner, but that is a different story...</P>
<P>65.34.103.143 - - [30/Jul/2001:01:18:11 -1000] "GET
http://www.s3.com/ HTTP/1.1" 404 301</P>
<P>61.144.144.190 - - [19/Jul/2001:00:37:47 -1000] "GET
http://www.yahoo.com/ HTTP/1.1" 404 304</P>
<P>61.144.141.144 - - [20/Jul/2001:23:50:25 -1000] "GET
http://www.yahoo.com/ HTTP/1.1" 404 304
</P>
<P>128.132.37.68 - - [07/Jul/2001:06:42:54 -1000] "GET
http://www.mpogd.com/gotm/ HTTP/1.1" 404 309</P>
<P> Now just for grins I ran "last" and no one here was
logged in at these times.
</P>
<P> Now, I have also noticed a bunch of chicanery in my logs this
month, and it appears that my firewall has stopped all the stuff I see
in /var/log/messages. This stuff showed up elsewhere and now I am
beginning to feel that something a little more is up.
</P>
<P> What I would like is if someone could provide me some tips for
figuring out how these log entries appeared and what I should do to
plug those holes. I will be willing to share log files etc, but I
don't wish to post them to the list a) in their present form, and also
b) to save a little space on the server.
</P>
<P><BR><BR>
</P>
<P>Thanks in advance,</P>
<P>Ben
</P>
</BODY>
</HTML>