From owner-freebsd-questions Thu Oct 23 12:57:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA23265 for questions-outgoing; Thu, 23 Oct 1997 12:57:24 -0700 (PDT) (envelope-from owner-freebsd-questions) Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA23260 for ; Thu, 23 Oct 1997 12:57:22 -0700 (PDT) (envelope-from dwhite@gdi.uoregon.edu) Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.8.7/8.8.5) with SMTP id MAA03224; Thu, 23 Oct 1997 12:57:19 -0700 (PDT) Date: Thu, 23 Oct 1997 12:57:19 -0700 (PDT) From: Doug White Reply-To: Doug White To: Whiskey Mike cc: freebsd-questions@FreeBSD.ORG Subject: Re: state of log files In-Reply-To: <199710151508.KAA29250@hawk.phantasy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 15 Oct 1997, Whiskey Mike wrote: > A short while back, a host that I frequent was hacked, in addition to to > dozens of university machines, including MIT and Princeton. The > perpetrator, who was eventually caught, put a backdoor on port 150 so he > could get in no matter what /etc/hosts.deny stated. > > Eventually he was caught, but now /var/log/messages, /var/log/ftp.log and > /var/log/secure are not being written to. The date and time of these files > are the same as the last time he hacked the system. Sounds like syslogd isn't working or was disabled, as part of this guys' work. Check that syslogd is running and that /var/log/syslogd.conf actually makes sense. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major