logcheck thinks that system is under attack, related to ssl problem?

To: debian-security@lists.debian.org
Subject: logcheck thinks that system is under attack, related to ssl problem?
From: Andreas Wüst <awuest@swissonline.ch>
Date: Mon, 06 Oct 2003 17:31:05 +0100
Message-id: <[🔎] yam9409.282.139550152@smtp.swissonline.ch>

Hi

I've got a rather wierd problem. Since this morning, I cannot connect
anymore to a pop mail server using ssl, evolution complains about a bad
signature of the certificate. This is since I've booted my machine
today.

At the same time, one minute before I got the after-startup report from logcheck, logcheck
sent me a mail with an "ACTIVE SYSTEM ATTACK!" subject, saying:

"Cleaned rules files exist in /var/lib/logcheck/cleaned directory that
cannot be removed. This may be an attempt to spoof the log checker."

Hmmm, so what? Are these problems somehow tied together? Furthermore,
what is the probability that the system has really been cracked, and the
logcheck message is not a false positive? I wonder, because it's not a
server machine, it has no services running, except the dhcp client
listening on a port. Nothing else.

Which steps would you propose to take next? It's very unfortunate, since
I am having absolutely no time at the moment, so I think I'll just leave
the machine switched off for now. Maybe I should go for a complete
reinstall.

-- 
Best wishes,
Andi

Reply to:

Follow-Ups:
- Re: logcheck thinks that system is under attack, related to ssl problem?
  - From: "Noah L. Meyerhans" <noahm@debian.org>

Prev by Date: Re: crontab failure for daylight savings
Next by Date: Re: logcheck thinks that system is under attack, related to ssl problem?
Previous by thread: Re: crontab failure for daylight savings
Next by thread: Re: logcheck thinks that system is under attack, related to ssl problem?
Index(es):
- Date
- Thread