On 2/5/07, Darren Cockburn <[EMAIL PROTECTED]> wrote:
Hi,
Can someone assist me with allowing access back to the console?
And perhaps increasing the logging?
Using:
Version 1.0.1
built on Sun Oct 29 01:13:05 UTC 2006
Platform pfSense
On the weekend the system went down. It's the first time this has
happened and I have been running pfsense for over a year.
I have http access and ssh access to the pfsense machine, but on the
console (directly connected) reads "listening on 127.0.0.1 81" and won't
allow me access to the usual menu.
I checked the hard-drive - no errors
CPU, memory usage, page file, etc... all seems fine
We have some suspicion that we were hacked because the following files
had been modified just prior to the crash.
/etc/passwd
/etc/group
/etc/pwd.db
/etc/rc.initial
/etc/spwd.db
/etc/ttys
I have verified (with diff) that the above files are now the same as the
current release of pfsense cvs files.
Some of those files get recreated on boot, password change, or serial
console change. The only one that stands out is /etc/rc.initial - the
only thing that should touch that would be an actual upgrade.
Most of the log files are empty or corrupted (intentionally?) - they
have thousands of lines of:
"@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@^"
Or
"[EMAIL PROTECTED]@[EMAIL PROTECTED](^A^@|<D0>[EMAIL PROTECTED]@[EMAIL
PROTECTED]@^@"
Any thoughts?
Circular log format files. You need to use the clog utility to read
them, not cat :)
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
