On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: > Hmmm, so what? Are these problems somehow tied together? Furthermore, > what is the probability that the system has really been cracked, and the > logcheck message is not a false positive? I wonder, because it's not a > server machine, it has no services running, except the dhcp client > listening on a port. Nothing else.
It sounds to me, from the symptoms you described, that /var has somehow been mounted read-only. Check that first. You don't have much evidence that it's a security issue at this point. Logcheck's "active system attack" messages rarely indicate such a thing. Don't do anything drastic like reinstall the system until you've got better evidence that you've been cracked. In this case, I doubt you have. noah
pgpemPt7kOxA8.pgp
Description: PGP signature
