I was updating an HTTPD code red log filter to also automatically report
nimba and other attacks happening in my domain.  I just noticed a rather
disturbing pattern in the dates/names.  

Here is the first coupld of lines in the script:

#!/bin/csh

setenv DATE_STR `date +%Y%m%d`

mv -f /var/log/httpd/access_log /var/log/httpd/access_log_${DATE_STR}
(grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
"129.219.") >&  /var/log/httpd/CR_access_${DATE_STR}
(grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
"149.169.") >>& /var/log/httpd/CR_access_${DATE_STR}
...

of a cron script that runs just after midnight every day.  I get the
following date time stamps:

...
-rw-r--r--    1 root     root            0 Sep 10 00:15
error_log_20010911
-rw-r--r--    1 root     root         1472 Sep 12 03:01
error_log_20010912
-rw-r--r--    1 root     root        10269 Sep 17 12:17
error_log_20010913
-rw-r--r--    1 root     root            0 Sep 13 02:30
error_log_20010914
-rw-r--r--    1 root     root            0 Sep 14 00:15
error_log_20010915
-rw-r--r--    1 root     root            0 Sep 15 00:15
error_log_20010916
-rw-r--r--    1 root     root            0 Sep 16 00:15
error_log_20010917
-rw-r--r--    1 root     root       565771 Sep 19 06:16
error_log_20010918
-rw-r--r--    1 root     root            0 Sep 18 00:15
error_log_20010919

Unless I am just having a brain fart, it appears that something/someone
edited the 2001/09/13 log on the 17'th, and all of the dates seem to be
off by a day.  Does anyone see something obvious, or doe is look like
someone may be mucking with my logs?  ps: I am the only one that should
have root, and I have had no reason to muck with the logs before the
attack on the network last yesterday.

  EBo --