"Mike Dickinson" <[EMAIL PROTECTED]> wrote: > Over the last week, I have been experiencing weird symptoms on my RAQ3i > in regards to the httpd.conf and log files. First off Cobalt will not > help me because we have installed a RAQ4 OS on a RAQ3i.. (I know that is > a NO NO.) > > What I am seeing happening is that the httpd.conf file is being written > to by an unauthorized service or individual on a nightly basis.
What are the permissions and ownership on httpd.conf on your box? Is Apache being restarted as well? Does it always occur at the same time? If so, have you checked to see if any cron jobs are running at that time and if logs report any activity then? You may want to install lsof and run it and netstat every minute (or even every second) writing to a text file so you can see what's occuring. > The a's > are being changed to d's and the e's are being changed to d's. > Completely bizarre! Have you run a rootkit detector like chkrootkit? Do you have a security solution in place, unnecessary services like telnet shutdown, latest Cobalt upgrades installed, etc.? -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
