It is abnormal to have the syslogd restart daily; unless your logs rotate on a daily basis. How big are your log files; its possible that they are too big. If not, then it is odd; I had the syslogd restart once within the first 2 weeks of operation and thought my machine was compromised, though we are behind a firewall. There are sw to check if you have been compromised, like tripwire, though I would like to know some more; mabye Snort is a good product to check into this ? Wayne Sagar <[EMAIL PROTECTED]> wrote: I'm seeing this in my logcheck report, almost daliy at about the same time syslogd 1.3-3: restart seems to happen about the time the logs rotate (4:05-4:09) Started about a month ago... which may coincide with about the time I installed the vixie-cron Update 4.0.1 it also probably coincides with about the time I installed logcheck... Sound familiar or... is it an indication that someone is restarting that service to cover tracks? I logged on and watched netstat reports continously during the last time period and all I noticed was an unusual smtp connection from an ip in the asian pacific registry... Is it possible someone has cracked the box and is running a cron job mailing at that nice ripe hour and then restarting syslogd to cover tracks.. or would this cover tracks?? also... is the directory usr/man/man8 normal? there's a batch of man dir's in there.. I've got all the updates installed, running portsentry and logcheck but the box was unprotected for about a month prior to installation of portsenty/logcheck (had updates) TIA Wayne Sagar _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
