Re: Something strange in my logs!!!

Hello Nicola,

what's your history file telling you? Do you recognise all the
commands in there as being yours? any deleted files of interest in the
system? Also try checking network (IDS/FW) logs to and from that
server for the specified period.

This is mostly suitable for the "Forensics" list. Try dropping a line
there as well.

Regards,
ZQ

On 7/20/07, nicola mondinelli <nicola.mondinelli@xxxxxxxxx> wrote:
situation:
DMZ linux mail server with qmail. only this service is accesible from
the net througth a dnat rule on the firewall.

yesterday i controlled the logs:
all main logs (messages wtmp btmp syslog secure ecc...) looks VERY
strange: from 3 july to 18 july absolutely no record... after and before
they are normal. even those rotated with logrotate are similar.

the mail logs, saved in a non-standard directory, are all ok even in the
period described before.

executing "w" i have that the server is up from 6 days. When i logged
through ssh (from the intranet, ssh is not accessible from outside, only
25/tcp port is open) i read that my last login was at 3july (and it
could mainly be correct).

i've downloaded chkrootkit and it says that there is nothing
strange.(but we know how much trust we can give to this program)

but where are all the logs of that 15 day has gone?
the system was surely up and running, because the mail server worked out
the mail normally (the mail logs are intact and demonstrate a normal
work during that period), from the gateway i've looked for strange
connections, but none was found.

using "last" command i can only see my login, no information about
reboot, boot or system failure. Obviusly before the 3July all is correct.

any ideas?
what can i do to discover something more?


Thanks...

Nicola

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------




--
---------------------------------------------------------------------
Κρέων
ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------

Relevant Pages

  • kmail- cannot start process pop3
    ... In checking the logs, I found ... that yum had installed exim and that messed everything up. ... I read my mail on the same computer that the mail server runs on. ... When I start kmail, it posts an error dialog: ...
    (Fedora)
  • Did i get hacked?
    ... It also acts as a dns / mail server to the outside world. ... I also have a cron job at 0:30 to move the apache logs to a tmp file restart ...
    (FreeBSD-Security)
  • Random crash and/or reboots
    ... Mail server: 4.8-RELEASE-p3 ... There are no indications of anything in the logs, ... bright bold) "lockmgr locking against myself" -- or close to that. ... Then, on this list, I saw the thread about other having mysterious reboots ...
    (freebsd-questions)
  • Re: spam alert - tealaden.com
    ... I have a spam e-mail. ... mail server, one to the mail server at Panix. ... federally funded computer security centers that help map and process ... In short, yes, I can gain access to the actual logs. ...
    (rec.food.drink.tea)
  • RE: Mail setup for new user in Debian
    ... Thanks you very much about giving me the list of commands to use. ... I'll also give you any logs I get so to make it just that bit easier to ... fetchmail is a program which downloads mail via POP or IMAP from a ... This depends on how the mail system is setup. ...
    (Debian-User)