From owner-freebsd-questions  Wed Oct 15 08:03:29 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA21300
          for questions-outgoing; Wed, 15 Oct 1997 08:03:29 -0700 (PDT)
          (envelope-from owner-freebsd-questions)
Received: from hawk.phantasy.com (breaker@hawk.phantasy.com [156.46.216.2])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id IAA21293
          for <freebsd-questions@FreeBSD.ORG>; Wed, 15 Oct 1997 08:03:24 -0700 (PDT)
          (envelope-from breaker@hawk.phantasy.com)
Received: (from breaker@localhost) by hawk.phantasy.com (8.6.12/8.6.9) id KAA29250 for freebsd-questions@FreeBSD.ORG; Wed, 15 Oct 1997 10:08:01 -0500
From: Whiskey Mike <breaker@hawk.phantasy.com>
Message-Id: <199710151508.KAA29250@hawk.phantasy.com>
Subject: state of log files
To: freebsd-questions@FreeBSD.ORG
Date: Wed, 15 Oct 1997 10:08:00 -0500 (CDT)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

A short while back, a host that I frequent was hacked, in addition to to
dozens of university machines, including MIT and Princeton. The
perpetrator, who was eventually caught, put a backdoor on port 150 so he
could get in no matter what /etc/hosts.deny stated.

Eventually he was caught, but now /var/log/messages, /var/log/ftp.log and
/var/log/secure are not being written to. The date and time of these files
are the same as the last time he hacked the system. 

What can I do to make sure these log files are being written to? As of
now, the logfiles have not been written to in two weeks, which is a long
time to not know what's going on with the system. 

Any information would be greatly appreciated. Please contact me at
breaker@hawk.phantasy.com if you can be of assistance.

Thanks in advance,

-b