From owner-freebsd-security Sun Feb 18 17:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id AF63637B503 for ; Sun, 18 Feb 2001 17:52:12 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 18 Feb 2001 17:50:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1J1q6J63249; Sun, 18 Feb 2001 17:52:06 -0800 (PST) (envelope-from cjc) Date: Sun, 18 Feb 2001 17:52:06 -0800 From: "Crist J. Clark" To: Brandon Hicks Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: Remote logging Message-ID: <20010218175205.L62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <008201c099fa$38ab5480$57304c42@main.cox-internet.com>; from fbsdsec@killaz-r-us.com on Sun, Feb 18, 2001 at 04:29:13PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 18, 2001 at 04:29:13PM -0600, Brandon Hicks wrote: > > -----Original Message----- > From: Brandon Hicks > To: Carroll Kong > Date: Sunday, February 18, 2001 1:29 PM > Subject: Re: Remote logging > > > >My FreeBSD box is down, so i can't check this out.... We are moving around > >some things in the new server room. But I'm about to have 8 FreeBSD Boxes > >up, and plus one here in my office... with no daemon running on it and only > >to monitor the others. So, I would like this Information as well. Can > >someone see if syslogd says something when killed? If not can someone > write > >a patch for it, to make it says something like "Syslogd: Killed" at > >least.... Not much point. You can always send a SIGKILL which cannot be caught by the process. The attacker would have to cooperate by sending syslogd(8) a SIGTERM or SIGINT, but why would he do that? There really is nothing you can do about getting logs from a machine once it is 0wn3d. Your only hope is that the attack itself will leave some traces before the attacker has the accesses necessary to disrupt the logging or that the changes the attacker makes leaves some noticable signature (e.g., lack of mark messages). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message