Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah
Thanks a lot for your fast answer!
On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote:
> On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote:
>> Hmmm, so what? Are these problems somehow tied together? Furthermore,
>> what is the probability that the system has really been cracked, and
>> the logcheck message is not a false positive? I wonder, because it's
>> not a server machine, it has no services running, except the dhcp
>> client listening on a port. Nothing else.
>
> It sounds to me, from the symptoms you described, that /var has
> somehow been mounted read-only. Check that first.
Well, I wished it would be like that, but /var hasn't got its own
partition, it gets mounted togehter with all the other stuff except
/boot.
> You don't have much evidence that it's a security issue at this point.
> Logcheck's "active system attack" messages rarely indicate such a
> thing. Don't do anything drastic like reinstall the system until
> you've got better evidence that you've been cracked. In this case, I
> doubt you have.
Well, reinstall is the last resort since it always takes hours to get
back the normal environment.
I hope you've got some more ideas. I'm strictly following all the
security updates, and have a light mix of woody and sid packages.
Well, I further noticed some error messages from gconf, about not being
able to delete some files, because they were not successfuly synced. I
am seeing these messages quite often, although yesterday there were
quite a lot of them. I've never really researched the topic, but I think
it could be related to sleep, and therefore a not perfect flush of
the buffers or something. I wonder if this might somehow have affected
the logcheck stuff.
--
Best wishes,
Andi
Reply to: