From my /var/log/auth.log.... Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/open_port.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/rpm-va-config.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/rpm-qa.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/suid_root.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/writable.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/unowned_group.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/suid_md5.today from 644 to 640 Aug 4 05:01:01 localhost msec: changed mode of /var/log/security/rpm-va.today from 644 to 640 Aug 4 20:11:03 localhost snort[1318]: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.144.168.34:3085 -> 192.168.0.226:1434 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/sgid.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/unowned_user.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/open_port.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/rpm-va-config.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/rpm-qa.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/suid_root.today from 644 to 640 Aug 5 05:01:01 localhost msec: changed mode of /var/log/security/writable.today from 644 to 640
Is the entry from Aug 4 20:11:03 as self-explanatory as it looks? Is this a reference to the M$ SQL Server worm from a few months ago? If anyone can provide any insight to this, I'd appreciate it. Thanks, -- Ben Reeves "He who knows much about others is learned, but he who understands himself is more intelligent. He who controls others may be powerful, but he who has mastered himself is mightier still." - Lao-Tsu, Tao Teh King
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com