Date: Sun, 18 Feb 2001 17:52:06 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Brandon Hicks <fbsdsec@killaz-r-us.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010218175205.L62368@rfx-216-196-73-168.users.reflex> In-Reply-To: <008201c099fa$38ab5480$57304c42@main.cox-internet.com>; from fbsdsec@killaz-r-us.com on Sun, Feb 18, 2001 at 04:29:13PM -0600 References: <008201c099fa$38ab5480$57304c42@main.cox-internet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 18, 2001 at 04:29:13PM -0600, Brandon Hicks wrote: > > -----Original Message----- > From: Brandon Hicks <fbsdsec@killaz-r-us.com> > To: Carroll Kong <damascus@home.com> > Date: Sunday, February 18, 2001 1:29 PM > Subject: Re: Remote logging > > > >My FreeBSD box is down, so i can't check this out.... We are moving around > >some things in the new server room. But I'm about to have 8 FreeBSD Boxes > >up, and plus one here in my office... with no daemon running on it and only > >to monitor the others. So, I would like this Information as well. Can > >someone see if syslogd says something when killed? If not can someone > write > >a patch for it, to make it says something like "Syslogd: Killed" at > >least.... Not much point. You can always send a SIGKILL which cannot be caught by the process. The attacker would have to cooperate by sending syslogd(8) a SIGTERM or SIGINT, but why would he do that? There really is nothing you can do about getting logs from a machine once it is 0wn3d. Your only hope is that the attack itself will leave some traces before the attacker has the accesses necessary to disrupt the logging or that the changes the attacker makes leaves some noticable signature (e.g., lack of mark messages). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010218175205.L62368>