# If there are results, mail them to sysadmin
if [ "$ATTACK" -eq 1 ]; then
cat $TMPDIR/checkreport.$$
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
cat $TMPDIR/checkreport.$$
| $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
else
echo "No Reported problems"
| $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
fi
Thank you.
Alvin Oga wrote:
hi ya jiji> - rebooted which should take care of cron / syslogd / logcheck.sh not running
> - apt-get --reinstall install logcheck just in case
> - hacker? that is my fear. How can I find evidence that the @#$@ is in there?-- what changed since the last time logcheck was working...
- maybe something broke or something got installed differently/wrong ???otherwise... look for directories/files you dont recognize...
simple/silly/stupid/fast test is:
find / -mtime -4 -ls | grep -v /proc
- changes in the last 4 days....
you should be able to recognize all files/directories listed ...
if you have a deb db or tripwire running, that would make it easier
to check ... i donno the deb-way...if its NOT a hacker and you didn't find any unknown/modified files...
- you could have a really good hacker/cracker in there..- you could have found a bug in logcheck or something ???
- if you dont mind.. you can post the list of "unknown files"...maybe
someone will recognize ti as being the culprit of your logcheck
symptomsc ya
alvin> On Mon, Jun 04, 2001 at 03:24:05PM -0700, Alvin Oga wrote:
> >
> > hi jiji
> >
> > you probably have a problem with:
> > - check cron ( restart it even if its running
> > - check syslogd ( restart it even if its running
> > - run logcheck.sh manually and see if than reports your status
> > since the last time
> >
> > - what happend since the June 1st...you get any posts/reports
> > from logcheck
> >
> > - you have a hacker/cracker that is updating/erasing your log files
> > trying to hide themself
> >
