[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
newbie q: secure log and setuid
- From: Alan Mead <adm ipat com>
- To: redhat-list redhat com
- Subject: newbie q: secure log and setuid
- Date: Wed, 09 Dec 1998 09:15:36 -0600
I'm new to Linux administration and have some questions about
/var/log/secure. What process(s) maintain it? What does it mean for the
client address to be unknown and what is the number in brackets? Entries
like those below lead me to assume we've been attacked or probed. What
should I do about it? I've added some (hopefully) restrictive entries in
hosts.deny, will that help? We don't run imapd.
Also (get set for a really dumb q), following the CERT checklist looking
for signs of an intruder, I found all setiud root files (the syntax I
copied from the CERT page was "find / -user root -perm -4000 -print"); it
was most of the executables on my system including most of the games and
most of the rsh shell. The "uploads" directory also has a SUID bit set(?).
I should be alarmed, no? What files _should_ be SUID'd to root?
Thanks in advance!
Aug 30 02:41:32 myhost imapd[29265]: connect from 195.49.33.2
Oct 3 11:10:35 myhost imapd[24673]: connect from 129.49.39.20
Nov 10 00:37:03 myhost imapd[30991]: warning: can't get client address:
Connection timed out
Nov 10 00:37:03 myhost imapd[30991]: connect from unknown
Nov 26 09:44:48 myhost imapd[18600]: warning: can't get client address:
Connection timed out
Nov 26 09:44:48 myhost imapd[18600]: connect from unknown
Dec 1 23:33:28 myhost imapd[7288]: warning: can't get client address:
Connection timed out
Dec 1 23:33:29 myhost imapd[7288]: connect from unknown
-Alan Mead
---
Alan D. Mead / Research Scientist / adm ipat com
Institute for Personality and Ability Testing
1801 Woodfield Dr / Savoy IL 61874 USA
217-352-4739 (v) / 217-352-9674 (f)
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]