Is this an attack on my machine? How can you know for sure?

Frank Carmickle frankiec at braille.uwo.ca
Thu Feb 15 19:39:14 EST 2001


Terry.

Those are standard lines for telling you the last time the system was
sane if it happens to go down.  It's just a time marker.  If you see any
hosts that you are unaware of in your /var/log/syslog then I might say you
have a concern.  Certainly every time a machine does something crazy you
can't blame an attack.  When you do see your system slowing down it is a
good idea to run top and see what is causing the system load.  One should
get familiar with top before such things are happening to understand what
usual loads for certain applications should look like.  

If you are concerned about attacks on your machine you may want to look
through /bin /sbin /usr/bin /usr/sbin for the last times that files were
changed.  You can do this with an 'ls -lc'  That will list files in the
order they were last changed according to the inode of the filesystem.  If
you just look at modification time you can be fooled because you can much
more easily change the modification time to what ever you would
like.  Thanks to Bill for clearing this one up for me.

HTH
Frank


     Frank Carmickle
phone:     412 761-9568
email:     frankiec at dryrose.com

On Thu, 15 Feb 2001, Terry D. Cudney wrote:

> Hi,
> 
> 	I'm suspicious of the security of my system. I'm running DSL (which uses PPP over Ethernet).
> 
> 	Yesterday I had an incident where my machine seemed to bog down  while I wasn't doing anything unusual that would cause it..
> 
> 	The only thing I can find is in the /var/log/messages file where I find lines llike this:
> 
> Feb 15 17:37:00 eden -- MARK --
> Feb 15 17:57:00 eden -- MARK --
> 
> 	I don't know enough about the log files to know if this is a valid log message... It looks suspicious to me.
> 
> 	Can anyone tell me if this is a normal message? Pointers to recommended reading on the log file (normal) contentes and Linux Security on the 'net would be most appreciated.
> 
> 	Advance thanks for any help that you net/security gurus can lend.
> 
> 		--terry
> 
> Name:	Terry D. Cudney
> Phone:	(905)735-6127
> E-mail:	terry at wasagacottage.com
> WWW:	www.wasagacottage.com
> 
> 
> 
> Q:	What's tiny and yellow and very, very, dangerous?
> A:	A canary with the super-user password.
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 





More information about the Speakup mailing list