Hi Simon, > We already run chkrootkit on a daily basis using cron (your advice I > believe) and it is reporting nothing unusual.
Ok, that's a good start. This most likely means that system binaries like /bin/login, netstat, ifconfig, ps and such have not been modified and there's no rootkit installed and no hidden processes. > I ran a netstat on the machine, nothing unusual. I can't run a portscan > from outside becase I only have a windows machine to connect from and I > don't know how to do that...yet (i'll try to find something) You can fire up Google.com and search for "Portscanner for Windows", which should return quite a few examples. > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Jan 5 04:04:14 ns1 syslogd 1.3-3: restart. > Jan 5 04:05:03 ns1 syslogd 1.3-3: restart. > Jan 5 04:06:41 ns1 named[376]: Cleaned cache of 4 RRsets Ok, "syslogd 1.3-3: restart." means just a restart of the logging facility and not of the entire server. Well, I just restared the syslogd manually and then had the following entries in my /var/log/messages: Jan 7 19:27:50 playground exiting on signal 15 Jan 7 19:27:50 playground syslogd 1.3-3: restart So the message "syslogd 1.3-3: restart" defenitely appears only once when you issue a restart of it. However, the daily logrotate (splitting and zipping up the logs) shuts down the syslog facility while it runs, so you'll see it shut down daily and even a few times in a row at or around 4am. That's nothing to worry about. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
