suspicious var/log entry - Security

This is a discussion on suspicious var/log entry - Security ; Aug 26 04:10:46 localhost syslogd 1.4.1: restart. Why was the log restarted? I was sound asleep, so it wasn't me. Pointers/ideas/education appreciated. -- % Randy Yates % "So now it's getting late, %% Fuquay-Varina, NC % and those who hesitate ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: suspicious var/log entry

  1. suspicious var/log entry

    Aug 26 04:10:46 localhost syslogd 1.4.1: restart.

    Why was the log restarted? I was sound asleep, so it wasn't me.

    Pointers/ideas/education appreciated.
    --
    % Randy Yates % "So now it's getting late,
    %% Fuquay-Varina, NC % and those who hesitate
    %%% 919-577-9882 % got no one..."
    %%%% % 'Waterfall', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  2. Re: suspicious var/log entry

    Randy Yates wrote:
    > Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
    >
    > Why was the log restarted? I was sound asleep, so it wasn't me.
    >
    > Pointers/ideas/education appreciated.


    Probably because the log was rotated.
    Ever notice those .1 .2 .3 .4 endings? It's gotta happen sometime.

  3. Re: suspicious var/log entry

    In article ,
    Randy Yates writes:
    >Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
    >
    >Why was the log restarted? I was sound asleep, so it wasn't me.
    >
    >Pointers/ideas/education appreciated.


    man logrotate
    man cron

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  4. Re: suspicious var/log entry

    On Aug 26, 8:25 am, Randy Yates wrote:
    > Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
    >
    > Why was the log restarted? I was sound asleep, so it wasn't me.
    >
    > Pointers/ideas/education appreciated.
    > --
    > % Randy Yates % "So now it's getting late,
    > %% Fuquay-Varina, NC % and those who hesitate
    > %%% 919-577-9882 % got no one..."
    > %%%% % 'Waterfall', *Face The Music*, ELOhttp://home.earthlink.net/~yatescr


    Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''...
    Your system of some intruder(???) did this for you...


  5. Re: suspicious var/log entry

    pedro.forum@gmail.com wrote:

    > Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''...
    > Your system of some intruder(???) did this for you...


    I wouldn't be too quick to suspect an intruder in this case. Syslog
    rotation is standard practice and is configured with pretty much every
    current Linux distribution by default. Very likely "normal system
    self-maintenance" caused syslogd to close and re-open its log files
    after the files were rotated.

    Randy, "professional paranoia" is healthy for a sysadmin, but you need
    to understand what you should be paranoid about and *why*. If you don't
    understand, and are truly concerned for your system and what happens to
    it while you're sleeping (or otherwise "away"), remove it from the
    network at those times (assuming you're satisfied with the physical
    security surrounding it; otherwise you'll need to consider that as
    well).

    The first step is getting a handle on what is "normal" behaviour for your
    system. You won't be able to get that if you're busy worrying that it
    has been compromised, so start from a clean configuration on an isolated
    system, and work from there. Understand how to control (and monitor)
    access to your system (both physical and logical), and *then* connect it
    to a network. You'll know how to figure out what caused certain
    behaviour.

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  6. Re: suspicious var/log entry

    On Sun, 26 Aug 2007 07:25:24 -0400, Randy Yates wrote:

    > Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
    >
    > Why was the log restarted? I was sound asleep, so it wasn't me.
    >
    > Pointers/ideas/education appreciated.




    cron runs daily at 04:02 AM by default. the script
    /etc/cron.daily/logrotate is the responsible party.
    After certain logfiles are rotated, ie: messages,
    restarts

  7. Re: suspicious var/log entry

    john mckenna writes:

    > On Sun, 26 Aug 2007 07:25:24 -0400, Randy Yates wrote:
    >
    >> Aug 26 04:10:46 localhost syslogd 1.4.1: restart.
    >>
    >> Why was the log restarted? I was sound asleep, so it wasn't me.
    >>
    >> Pointers/ideas/education appreciated.

    >
    >
    >
    > cron runs daily at 04:02 AM by default. the script
    > /etc/cron.daily/logrotate is the responsible party.
    > After certain logfiles are rotated, ie: messages,
    > restarts


    Thanks John. That simple response explains everything.
    --
    % Randy Yates % "I met someone who looks alot like you,
    %% Fuquay-Varina, NC % she does the things you do,
    %%% 919-577-9882 % but she is an IBM."
    %%%% % 'Yours Truly, 2095', *Time*, ELO
    http://home.earthlink.net/~yatescr

  8. Re: suspicious var/log entry

    On Aug 28, 1:06 am, Sylvain Robitaille
    wrote:
    > pedro.fo...@gmail.com wrote:
    > > Syslog Daemon was restarted... maybe ``kill -HUP $(pidof syslogd)''...
    > > Your system of some intruder(???) did this for you...

    >
    > I wouldn't be too quick to suspect an intruder in this case. Syslog
    > rotation is standard practice and is configured with pretty much every
    > current Linux distribution by default. Very likely "normal system
    > self-maintenance" caused syslogd to close and re-open its log files
    > after the files were rotated.


    I misspell... The correct was "Your system OR some intruder"... R and
    F are too close at the keyboard
    And the intruder was just a joke...


+ Reply to Thread