Date: Thu, 18 Oct 2001 14:37:35 +0200 From: Yonatan Bokovza <Yonatan@xpert.com> To: 'Tomek' <tomek@mpionline.com>, freebsd-questions@FreeBSD.ORG Subject: RE: I got hacked, I think Message-ID: <EB513E68D3F5D41191CA000255588101B434DB@mailserv.xpert.com>
next in thread | raw e-mail | index | archive | help
<snip> > ===QUESTIONS=== <snip> > > Is it normal for /var/log/security to be empty? from syslog.conf(5): # Log all security messages to a separate file. security.* /var/log/security If you don't have any "security messages" it can bve empty. Mine is. > Is it normal to have lots of entries in setuid.today (ie: is it caused > by general server activity)? That depends on what do you define as "general server activity". After "installworld", for example, you'll a list of all the changed suid-files, which is lots. > Any suggestions of what logs/places I should check next to > find out WHAT > has been done to my system and what it was used for? (ie: a connection > log to see when this hacker was connecting, if it exists). Most of /var/log. If you think you've been hacked, see chkrootkit from the ports, or www.cert.org for "what to do if you've been hacked". See also last(1) utmp(5) and /var/log/lastlog, and user's ~/.history files. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB513E68D3F5D41191CA000255588101B434DB>