I think you'll find this is due to log rotation. Does it happen on a regular basis? Redirecting all logging to /dev/null is a very crude attempt at disguising an intrusion. You can tell something is amiss by the fact that the logs are mysteriously not logging (no news is bad news). Most intruders will use a log 'cleaning' script to eradicate all trace of their presence while leaving normal log entries untouched. Rootkits will provide backdoors for the intruder to log in to without an entry in the log.
Kerry. On Thu, 2001-11-29 at 15:58, Mark Carey wrote: > Hi, > I got up this morning and had a quick peruse of /var/log/messages after > leaving the RH7.2 Box connected to the internet (It has now been connected > for 32 Hours). I have been doing some reading lately that if somebody > manages to compromise your box they will redirect logging to /dev/null so > you wont get any output in the log files. While reading /var/log/messages I > saw syslogd had been restarted. > > Nov 29 04:02:09 Fresian syslogd a.b.c: restart. > > Anyway my question to the group is does syslogd in the normal course of > operation restart? > > Thanks > > Mark > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- regards, Kerry. --------------------------------------------------------------------- Kerry Baker Ph: +64 (4) 470 5843 Consultant Fax: +64 (4) 472 7219 Optimation New Zealand Limited Mob: +64 (25) 308 647 1 Grey Street Email: [EMAIL PROTECTED] Level 2, Optimation House Web: www.optimation.co.nz Wellington NOTE: This electronic mail message together with any attachments is confidential. If you are not the intended recipient, please e-mail us immediately and destroy this message. You may not copy, disclose or use the contents in any way. Thank you.
