First, check the messages files for anything unsual (like times that you
did not su to root or to another user). The messages can be found in
/var/log/messages. The best way to view them is by using the less
command (so that you can go up and down the log at your convenience).
EG: cd /var/log/
less messages
Use the arrow keys to view the log.
Second, check for times that root was logged into your system. This can
be done by issuing the command:
last root
Third check to see what commands root has ran in the past. This can be
done by either viewing the history file or by logging in as root and
typing history. To view the history file, login as root and type less
.history
These are ways to see if your system has been compromised. However, if
you are new to linux, more than likely you will not be able to see these
things or notice any inconsistancies in the logs. To make it a lot
easier, I would do as someone else suggested in the end and wipe the
system clean and install a fresh new version. Furthermore, to add to
their suggestions, I would install a program that helps you track
changes in your system such as tripwire (http://www.tripwire.com). So
the install should be....
1. Wipe the system clean
2. Re-Install the system with medium firewall chosen.
3. Update the system with all patches. (use rhn to do this)
4. Download and install tripwire.
I dont recall but I am pretty sure that you can also choose to have
tripwire installed during step 2. I know that it is an option on later
versions of Red Hat.
Jason
On Thu, 2002-05-02 at 14:08, Jianping Zhu wrote:
> Thank you for your email msg.
> I am very new to linux, can you tell me which log files should I check and
> where are the logfiles?
>
> Jinaping Zhu
>
>
> On Thu, 2 May 2002, daniel wrote:
>
> > you also might have been hacked
> > and your box might be being used by someone else
> > check for gaps in server logs etc.
> >
> > _________________________________
> > daniel a. g. quinn
> > starving programmer
> >
> >
> >
> >
> > ----- Original Message -----
> > > Yeah, suuuurrrrrrrrrre you didn't do it.
> > >
> > > Just kidding :-)
> > >
> > > I would start by asking to see the evidence. Some people see multiple
> > > ftp failures and think it is an attack.
> > >
> > > Jianping Zhu wrote:
> > > >
> > > > I have a linux machine (with redhat 7.2 os and name is chambleea)
> > running,
> > > > but today the
> > > > unvivesity sytem administrator sent me email in which he told me that
> > > > somebody
> > > > outside the campus complaint that my linux machine was trying to attack
> > > > his machine . But i did not do it, and I do not know how to do it.
> > > > Can somebody gave me some hints how can I figure out what is going on.
> > > > (My linux box have to be disconnected form the network now!!!)
> > > > I am new to linux and I am total lost!!!
> > > >
> > > > Thank you very much!!!
> > > >
> > > > _______________________________________________
> > > > Redhat-list mailing list
> > > > [EMAIL PROTECTED]
> > > > https://listman.redhat.com/mailman/listinfo/redhat-list
> > >
> > > --
> > > robert canary
> > > system services
> > > OhioCounty.Net
> > > [EMAIL PROTECTED]
> > > (270)298-9331 Office
> > > (270)298-7449 Fax
> > >
> > >
> > >
> > > _______________________________________________
> > > Redhat-list mailing list
> > > [EMAIL PROTECTED]
> > > https://listman.redhat.com/mailman/listinfo/redhat-list
> > >
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --------------------------------
> Jianping Zhu
> Department of Computer Science
> Univerity of Georgia
> Athens, GA 30602
> Tel 706 5423900
> --------------------------------
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
