[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [[cobalt-users] Server Hacked?]

Subject: RE: [[cobalt-users] Server Hacked?]
From: "Tony" <isplists@xxxxxxxxxxxx>
Date: Sun Feb 13 16:08:59 2000

One should get review all the logs in /var/log/ periodically to look for
strange and unusual things.
I have my own page that ties several perl scripts together to see the log
output via a web page but
it would be nice to have some type of interface to the GUI to review the
logs.

Use the tail command to quickly view x number of the last entries.

ie: tail -50 secure   [connections & login sucess/failure etc]
    tail -10 messages [various system messages including named/dns]
    tail -20 maillog  [tracks in & out mail activity]
    tail -10 xferlog  [file transfers, who & what]
    tail -10 /var/log/httpd/error  [cgi & httpd errors for script debugging]

Most of the logs are filled with Cobalt Monitor droppings and connections
from yourself.
To filter these out try this:

[root log]# grep -v 216.xxx.xxx.xxx secure > secure1.txt

Then '$less secure1.txt' to view it or '$cat secure1.txt | mail
you@xxxxxxxxxx ' to mail
it to yourself.

The second value is whatever you DON'T want to see, the third is the name of
the log/file
you want to filter and the last is the new file that will hold the filtered
results.
In this example I filter out my Raq's ip address and cut the file in half
since half the
log entries are 15-minute Active Monitor pings. I'm sure there's a way to
put multiple
values in the grep expression, I just havent looked it up yet.

Does anyone know how to give virtual domains who do have telnet access the
ability to view
the main error log on a Raq2?

Tony

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Richard E.
Perlotto II
Sent: Sunday, February 13, 2000 5:20 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [[cobalt-users] Server Hacked?]

The last command will not show FTP access to the box, only login access
to include login, telnet, rsh, rlogin (at least on a standard Unix box)

Richard

manitu wrote:
>
> > The 'last' command will tell you all the people that have logged
> > in assuming that they have not hacked your log files.
>
> Does this only show the telnet-logins or all logins (also ftp etc.) ?
>
> Manuel
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [[cobalt-users] Server Hacked?]
  - From: Richard E. Perlotto II

Prev by Date: [cobalt-users] Huge logfiles.
Next by Date: Re: [[cobalt-users] Server Hacked?]
Previous by thread: Re: [[cobalt-users] Server Hacked?]
Next by thread: Re: [[cobalt-users] Server Hacked?]

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index