Re: tlug: /var/log/messages

[smitimko@example.com]

Hello Tony, 

In message <Pine.LNX.4.10.10006301107520.9169-100000@example.com> you write:
> To this layman, it looks like I have been hacked into 
> on a few occasions. I grepped around the log files 
> and found this. 

  I don't see exactly your machine is cracked yet. But perhaps someone
is trying to hack.

> My question: if this is an intruder, are there any 
> easy ways to find out what s/he is or has been doing in 
> there? 

  Sometimes the invador remained his footprint at /root/.bash_history
or other users .bash_history. That file is written after the bash
session was closed. Even when the invador removes all of /var/log/*,
the .bash_history is still remained after s/he logged out.

  But this is only when your default shell is bash. And if the invador
uses his particular tools to hack (and not uses shell), it is little
bit hardar to find what s/he does. 

  I am also sometimes checking /var/log/xferlog which is the log of
wu-ftpd. 

---Hope this helps.

== Money is one of the minimum conditions to do anything, but... =======
  Shin MICHIMUKO <smitimko@example.com> http://www.peanuts.gr.jp/
============================================ Freedom is everything. ====
-----------------------------------------------------------------------
Next Technical Meeting: July 8 (Sat)  13:30  Place: LinuxProbe Hall
Next Nomikai meeting: August 18 (Fri) 19:00  Place: TBD
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan