Help with tracking down intrusion record logs - VMS

This is a discussion on Help with tracking down intrusion record logs - VMS ; A few hours ago I noticed my VMS console going crazy with intrusion messages. Someone was trying to breakin via FTP. The console messages of course had the date/time, program (FTP), username ("administrato"), and the remote host. When I did ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Help with tracking down intrusion record logs

  1. Help with tracking down intrusion record logs

    A few hours ago I noticed my VMS console going crazy with intrusion
    messages. Someone was trying to breakin via FTP. The console messages
    of course had the date/time, program (FTP), username ("administrato"),
    and the remote host. When I did a "show intru" it showed some 6400
    attempts.

    I did a whois on the remote host and found it's a Dallas-based
    internet hosting service using Linux servers. I sent an e-mail to the
    network admin about the problem and received a request for logs so
    they could take action.

    The problem is that the breakin attempts do not show up in
    operator.log and now that it's several hours later I can't even do a
    "show intrusion". Where are these logs kept?

    Thanks,
    Bill


  2. Re: Help with tracking down intrusion record logs

    In article <1187767904.199876.204390@l22g2000prc.googlegroups. com>, mcbill20@yahoo.com writes:
    >A few hours ago I noticed my VMS console going crazy with intrusion
    >messages. Someone was trying to breakin via FTP. The console messages
    >of course had the date/time, program (FTP), username ("administrato"),
    >and the remote host. When I did a "show intru" it showed some 6400
    >attempts.
    >
    >I did a whois on the remote host and found it's a Dallas-based
    >internet hosting service using Linux servers. I sent an e-mail to the
    >network admin about the problem and received a request for logs so
    >they could take action.
    >
    >The problem is that the breakin attempts do not show up in
    >operator.log and now that it's several hours later I can't even do a
    >"show intrusion". Where are these logs kept?


    In the security audit journal. See ANALYZE/AUDIT.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html

  3. Re: Help with tracking down intrusion record logs

    In article , gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann) writes:
    > In article <1187767904.199876.204390@l22g2000prc.googlegroups. com>, mcbill20@yahoo.com writes:
    >>A few hours ago I noticed my VMS console going crazy with intrusion
    >>messages. Someone was trying to breakin via FTP. The console messages
    >>of course had the date/time, program (FTP), username ("administrato"),
    >>and the remote host. When I did a "show intru" it showed some 6400
    >>attempts.
    >>
    >>I did a whois on the remote host and found it's a Dallas-based
    >>internet hosting service using Linux servers. I sent an e-mail to the
    >>network admin about the problem and received a request for logs so
    >>they could take action.
    >>
    >>The problem is that the breakin attempts do not show up in
    >>operator.log and now that it's several hours later I can't even do a
    >>"show intrusion". Where are these logs kept?

    >
    > In the security audit journal. See ANALYZE/AUDIT.


    After ensuring you have auditing of breakin attempts enabled.
    See SHOW AUDIT.

  4. Re: Help with tracking down intrusion record logs

    In article <1187767904.199876.204390@l22g2000prc.googlegroups. com>, mcbill20@yahoo.com writes:
    > A few hours ago I noticed my VMS console going crazy with intrusion
    > messages. Someone was trying to breakin via FTP. The console messages
    > of course had the date/time, program (FTP), username ("administrato"),
    > and the remote host. When I did a "show intru" it showed some 6400
    > attempts.
    >
    > I did a whois on the remote host and found it's a Dallas-based
    > internet hosting service using Linux servers. I sent an e-mail to the
    > network admin about the problem and received a request for logs so
    > they could take action.
    >
    > The problem is that the breakin attempts do not show up in
    > operator.log and now that it's several hours later I can't even do a
    > "show intrusion". Where are these logs kept?
    >
    > Thanks,
    > Bill


    Any operator messages from these events should be in operator.log .
    All security events are logged to the audit log, wherever you put
    that. Look at your system startup scripts to determine where you
    put the audit log, or the help files to find where it goes by
    default.


  5. Re: Help with tracking down intrusion record logs

    mcbill20@yahoo.com wrote:
    >
    > A few hours ago I noticed my VMS console going crazy with intrusion
    > messages. Someone was trying to breakin via FTP. The console messages
    > of course had the date/time, program (FTP), username ("administrato"),
    > and the remote host. When I did a "show intru" it showed some 6400
    > attempts.
    >
    > I did a whois on the remote host and found it's a Dallas-based
    > internet hosting service using Linux servers. I sent an e-mail to the
    > network admin about the problem and received a request for logs so
    > they could take action.
    >
    > The problem is that the breakin attempts do not show up in
    > operator.log and now that it's several hours later I can't even do a
    > "show intrusion". Where are these logs kept?


    When you see these, SHOW INTRUSION/OUTPUT=filespec can help.

    --
    David J Dachtera
    dba DJE Systems
    http://www.djesys.com/

    Unofficial OpenVMS Marketing Home Page
    http://www.djesys.com/vms/market/

    Unofficial Affordable OpenVMS Home Page:
    http://www.djesys.com/vms/soho/

    Unofficial OpenVMS-IA32 Home Page:
    http://www.djesys.com/vms/ia32/

    Unofficial OpenVMS Hobbyist Support Page:
    http://www.djesys.com/vms/support/

+ Reply to Thread