Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Something strange in my logs!!!

from [Zed Qyves] Network Security [Permanent Link]
Subject: Re: Something strange in my logs!!!
Date: Mon, 23 Jul 2007 09:59:11 +0300 
Hello Nicola,

what's your history file telling you? Do you recognise all the
commands in there as being yours? any deleted files of interest in the
system? Also try checking network (IDS/FW) logs to and from that
server for the specified period.

This is mostly suitable for the "Forensics" list. Try dropping a line
there as well.

Regards,
ZQ

On 7/20/07, nicola mondinelli <nicola.mondinelli@gmail.com> wrote: 
situation:
DMZ linux mail server with qmail. only this service is accesible from
the net througth a dnat rule on the firewall.

yesterday i controlled the logs:
all main logs (messages wtmp btmp syslog secure ecc...) looks VERY
strange: from 3 july to 18 july absolutely no record... after and before
they are normal. even those rotated with logrotate are similar.

the mail logs, saved in a non-standard directory, are all ok even in the
period described before.

executing "w" i have that the server is up from 6 days. When i logged
through ssh (from the intranet, ssh is not accessible from outside, only
25/tcp port is open) i read that my last login was at 3july (and it
could mainly be correct).

i've downloaded chkrootkit and it says that there is nothing
strange.(but we know how much trust we can give to this program)

but where are all the logs of that 15 day has gone?
the system was surely up and running, because the mail server worked out
the mail normally (the mail logs are intact and demonstrate a normal
work during that period), from the gateway i've looked for strange
connections, but none was found.

using "last" command i can only see my login, no information about
reboot, boot or system failure. Obviusly before the 3July all is correct.

any ideas?
what can i do to discover something more?


Thanks...

Nicola

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------




--
---------------------------------------------------------------------
ÎÏÎÏÎ
áÎ ÏáÎá áÏÎÏÎÎ Îá Ïá Îá ÎÎÏÎÏÎÎÎÎÎ
áÎÏÏÏÎ, áÎÏÎÏÎÎÎÎ Îá ÏáÎÎÎÎÏÎÎÎÎÎ.
ÎÎÎÎÏÎÏÏ ÎÏÏÏÎÎÎÏ [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek  Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Port Scanning Issues, ben . dexter
Next by Date:  RE: Penetration Testing on Mac OS X, SD List
Previous by Thread:  Something strange in my logs!!!, nicola mondinelli
Next by Thread:  Re: Something strange in my logs!!!, Siim PÃder
Indexes:  [Date] [Thread] [Top] [All Lists]