Results 1 to 5 of 5
Thread: Which files I should Check
06-19-2003, 04:08 PM #1Talk2MeGuest
I am a newbi with a linux box 8.0 and I wanted to know which log files I should be looking at and what type of activity will I see in the log files to know that my system is not being hacked?
Also what other things beside log files should I be looking at to make sure my system looks normal?
Please be very specific.
Thanks for your help!!!
06-22-2003, 10:49 PM #2manliusGuest
I would start with a trip to your local library or book store, and pick up some of the many intro to linux books, you will find they are a great start.
06-23-2003, 04:34 AM #3ProWebUKGuest
a few things,
1) if you have abnormal bandwidth usage from an account or the server check what is using it. Also, the server load will more than likely increase
2) pico -w /var/log/messages
3) pico -w /var/log/httpd/access_log
4) pico -w /var/log/httpd/error_log
they are the main log files, access_log wont help you to much unless you are trying to find out information about the person, there are some other ways to check things out, although they are the easiest ways.
You can also get CHROOTKITS which will check if you have been rooted
06-23-2003, 09:35 AM #4northwindGuest
....Lets just hope your not running a hosting business. =)
Anyway for your answers, usually for boxes being hacked, the load of the server seems to rise. This is because when they hack your server, unless its a DDoS attack, they will upload a file, and then basically run it on the server which gives up all information for root accounts.
From there, they can really screw up your server.
There really is no "perfect" way to look at it. Even with firewalls, it won't keep all of them away, however I would look into getting a firewall as it may help.
09-04-2003, 02:18 PM #5andyGuest
1. Use tripwire to check for file integrity.
2. Use Logwatch to check for suspicious activity
3. run the command : utmpdump /var/log/wtmp | less to see who were logged in remotely.
4. run "last" or "history" on shell.
5. Check your binaries for integrity :
rpm -Va|grep '^..5' > /root/rpmverify
cat /root/rpmverify|grep bin
Hope this help.