I've been tinkering with that server a little, got the logging working (at
least partially) and have gotten a lot of interesting IP addresses in the
log. I'm tightening it up to stop them from hacking other people's systems
with it, and I don't even begin to know where to look for any software they
may have installed yet (other than their porn web server).
Other than the IP addresses, I found this earlier today after I edited the
hosts.allow and deny files:
Sep 20 11:06:14 HOST2 portmap[25317]: connect from 209.84.178.11 to dump():
request from unauthorized host
What does this dump() mean? Is it doing any damage? Maybe this is
somebody looking for an open port, but I don't know what the dump() is.
I restarted the syslog and they rebooted the machine this morning (it's
1500 miles away...) and the messages file is working but I'm still not
getting any entries in /var/log/secure, it's just a zero-length file. The
syslogd.conf file looks the same as mine so I guess it's ok. Any ideas how
to get secure working?
One interesting note - when I restarted the syslog, the messages file
immediately started growing with data from the last month, like it was
backed up. I've saved that file and have found a few recurring IP
addresses...
;->
Thanks for all your help, I'm on a mission now!
Kerry
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
