I was just looking around and did a tail on my syslog and some strange entries came up:
[Code].....
I'm a Verizon customer in Maryland, USA running Linux at my home and I don't understand why named is looking at servers in France and Saudi Arabia. Am I just being paranoid?
CentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
OS CentOS 5.4 I have a DNS server that is logging all named and dns requests to the chrooted named directory. By default named logs to /var/log/messages but I want to isolate all the dns queries and requests to separate files. I know I can add entries to /etc/syslog.conf to "roll" the logs and logrotate should pick them up but fuzzy as to the syntax. I don't know what "tag" to use in the first fieild. for example
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages
Here is the logging section of my named.conf
# pwd
# /var/named/chroot/etc
logging
{
[code]....
My syslog is showing a lot of entries like the following: Quote:
[Code]....
I think I have messed up my media setup:
[Code]....
I use named as a local caching nameserver (it has seemed the most stable DNS solution in the past given my ISP's flaky DNS servers) and I've noticed (since using fedora 12) a number of "broken trust chain" messages from named in /var/log/messages, for example:
Code:
named[986]: broken trust chain resolving 'www.bbc.net.uk/AAAA/IN': 212.58.224.20#53
I haven't made much sense of the things I've found via google, and am not even sure if this is a bad problem or not.
Mandriva 2009, BIND 9.5.0-P2. Named will start however I'm getting the above error as well as these:
14-Mar-2009 15:45:37.084 general: error: zone 0.in-addr.arpa/IN: loading from master file /var/lib/named/var/named/reverse/named.zero failed: file not found
14-Mar-2009 15:45:37.084 general: error: zone 0.0.127.in-addr.arpa/IN: loading from master file /var/lib/named/var/named/reverse/named.local failed: file not found
[code].....
Named shows to be running but with the errors above I know it's not running correctly. I also copied the above dir's over to /var/lib/named/var/lib/named which is where I 'believe' it's chroot'd at, though I could be wrong since I'm unfamiliar with chroot.
Is there a way to send syslog messages through SNMP? I'm not finding much info online around this. A co-worker said it was easy to do. RHEL5.5
View 1 Replies View RelatedSuddenly, I'm getting lots of messages in my CentOS 5.6 secure log : -
May 12 13:07:49 CentOS55 webmin[14538]: Successful login as root from 192.168.0.203
May 12 13:10:03 CentOS55 userhelper[14698]: pam_timestamp(system-config-securitylevel:session): updated timestamp file `/var/run/sudo/root/unknown'
[code]....
I've lately been getting some strange nfs mount requests for non existant users' home directories on a F14 machine to my file server (CentOS).The message log on the file server shows the following
May 23 03:10:53 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
May 24 03:21:13 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
May 25 03:26:53 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
[code]....
looking at my router logs i've noticed for the past while a range of source ports from 60000 to about 65000 from my source external ip to destination external ip always on port 80. I have 3 boxes on this network and this only seems to happen when i connect the one laptop. I even reinstalled the distro downloaded from trusted source but the router is still logging this.. netstat -ntulp shows nothing operating in this range. chkrootkit shows nothing.. Was thinking maybe someone was spoofing the external address but it's been happening on network startup for a month now
View 4 Replies View RelatedI got some entries in my auth log that I am puzzled by. What could be the cause? I was not using my machine at the time of the logging.
Code:
I have my system set up to where the router(dd-wrt) will send it's syslog messages to my Linux PC system. I am using shorewall as my firewall. I have two questions: How can I configure shorewall to allow the messages from my router? If I use my router IP address to allow the messages to come through the firewall, will this be a great security risk as anything from the internet can come through on that router ipaddress?
View 1 Replies View RelatedIn order to mitigate risks linked to the use of the classic syslog protocol (spoof, replay, tampering, lost messages...) I am looking for a product implementing the syslog-sign capability: [URL] which is still a draft in the IETF for the moment. On NetBSD, the sylog daemon is able to run this feature: [URL]. Did anybody tried this feature on a Linux system?
View 1 Replies View RelatedRecently I've been finding two strange-looking files on my Windows shared folders! Their names are 'khy' and 'qffhtx.exe', they appear as hidden, and they're hard to delete!! especially the first one because it has no extension. I use Ubuntu 10.10, but I am worried because I also dual-boot Windows XP. Today I tried to open the .exe file in nautilus to see what is inside and I received the message "Unable to open archive", 'khy' is apparently an empty text file. Then I unmounted my /home partition so my files are out of the way, and I ran the .exe file using WINE,
Now I have a strange-looking applet on my top panel!! and it says "Script paused", also it says "Exit', and also Wine command prompt says something strange about "LockWindowUpdate", don't imagine it I'll post the screenshots so you can see it for yourselves. Also --and this is weird-- the virus apparently is trying to call a Windows process named csrcs.exe!! Again, I'll post the screenshots.
If this is a virus, then it's like a fish out of the water on my Ubuntu, it's probably trying to do something but it can't find its way around, it's kinda funny, but Im worried because I also dual-boot Windows XP, I'm having a hard time trying to remember the name KHY, it's a very weird acronym, it's the acronym of a disease, according to what I googled, i'm sure it's a virus!!! Anyway it's HARD to remember!!!
what can I do about this? How can I see the "script"? can Ubuntu kick its ***?how can I clean my Windows?
I am looking to build a dedicated syslog-SNMP server with remote web interface and I would appreciate a discussion from our community on recommending the best solutions to deploy. I would like to be able to create an opensource architecture I could easily duplicate for multiple stand-alone customer environments.
View 1 Replies View RelatedIs it possible to configure the RHEL 5.5 syslog to accept SNMP traps? That is I want to use a central logging server to pick up other systems syslogs, and SNMP messages from systems that cannot use remote syslog functions.
View 3 Replies View RelatedI am searching that how i can configure syslogs/rsyslog to receive third party tools or softwares logs. For example i have a program that generates logs like when it is started and logs about its services, alerts if there are any alarms etc. I want to forward these logs using syslogs/rsyslog. Is their any possibility how can i achieve that
View 2 Replies View RelatedLike many (most?) home users, until now I've had my regular userid in sudoers as "ALL = (ALL) ALL". It occurs to me that, even though my machine has no open ports, this is probably not a good idea - just in case my firewall suddenly burns down. So, if my thinking is right on this, I'm wondering if there is a generally approved list of Cmnd_Alias entries? At this point, I've decided to only add entries as I use them, and to try to honestly appraise my need to do the entry as sudo, vs opening a virtual console as root. My root password is non-trivial.
View 3 Replies View RelatedI have been getting the following in the samba section of the log watch report for the past few days. But don't know what it means.
[Code]....
and more. What does it mean? Does it mean any attempt to hack or is it some kind of status update? If this is not a threat and can be suppressed, how can I do this?
I am using Cent OS 5.5 and i want configure DNS, but while configuring bind i am getting below error.
#/etc/init.d/named restart Stopping named: [ OK ]
Starting named:
Error in named configuration:
/etc/named.conf:57: open: /etc/named.root.hints: file not found[FAILED]
Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are
View 1 Replies View RelatedI am looking for an open source syslog server which accumulate the each and every log of Windows, Solaris, Linux and network devices. Currently I am using Syslog-ng which is not fulfiling my requirement in Windows clients, as I need the logs of every action which user performed after logon.
View 2 Replies View RelatedI've noticed on a couple of occasions that e-mail address auto-complete drop down lists have e-mail addresses in that I have never entered (!!) They all seem to be for people with the surname fenton at either gmail or hotmail. Is it likely that I have been hacked?
View 3 Replies View RelatedI run lastb every now and again to see who is trying to p0wn my box and it dates back to november 08. how do i clear these entries to i can get a more update view? or if you know a way i can do a 'more' or something so the IP's are not flying by that would be cool too!
View 2 Replies View RelatedAnyone, I would like to ask if it was possible to change the entries of a file's inode table ?
For example
Code...
I was wondering if I can change the entries in this inode table's entries.
For example I want to change the "Modify" entry ? I want it to reflect to day 2009-05-19 for example.
Can i do it ?
My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
View 8 Replies View RelatedHow can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies View Relatedtrying to replace syslog with syslog-ng. When I:
yum erase syslog,
wants to remove everything else that (presumably) has syslog as a dependency. how do I replace the dependency on syslog with a dependency on syslog-ng?
In the following location:/home/"Me"/.mozilla/firefox/kjydlve3.default/FVD Single/,There is a file named "supported_sites.txt", which contains a large portion of pornographic urls, and other stuff I have no interest in. What creates this file, and why does it recreate itself after I delete it? I know I can chmod it, but I am mostly concerned for the cause of its existence. They seem to be almost all video related sites.
View 4 Replies View RelatedI noticed in my system that my root partition is getting full. I found a lot of old compacted syslogfiles. Had a look at etc/sysconfig editor eg cron but could not find a setting which allows to delete files older than a month. Where and how could I influence this ? I deleted manually all syslog files older than a month. Approx 6GB
View 9 Replies View Related