I was updating an HTTPD code red log filter to also automatically report
nimba and other attacks happening in my domain. I just noticed a rather
disturbing pattern in the dates/names.
Here is the first coupld of lines in the script:
#!/bin/csh
setenv DATE_STR `date +%Y%m%d`
mv -f /var/log/httpd/access_log /var/log/httpd/access_log_${DATE_STR}
(grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
"129.219.") >& /var/log/httpd/CR_access_${DATE_STR}
(grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
"149.169.") >>& /var/log/httpd/CR_access_${DATE_STR}
...
of a cron script that runs just after midnight every day. I get the
following date time stamps:
...
-rw-r--r-- 1 root root 0 Sep 10 00:15
error_log_20010911
-rw-r--r-- 1 root root 1472 Sep 12 03:01
error_log_20010912
-rw-r--r-- 1 root root 10269 Sep 17 12:17
error_log_20010913
-rw-r--r-- 1 root root 0 Sep 13 02:30
error_log_20010914
-rw-r--r-- 1 root root 0 Sep 14 00:15
error_log_20010915
-rw-r--r-- 1 root root 0 Sep 15 00:15
error_log_20010916
-rw-r--r-- 1 root root 0 Sep 16 00:15
error_log_20010917
-rw-r--r-- 1 root root 565771 Sep 19 06:16
error_log_20010918
-rw-r--r-- 1 root root 0 Sep 18 00:15
error_log_20010919
Unless I am just having a brain fart, it appears that something/someone
edited the 2001/09/13 log on the 17'th, and all of the dates seem to be
off by a day. Does anyone see something obvious, or doe is look like
someone may be mucking with my logs? ps: I am the only one that should
have root, and I have had no reason to muck with the logs before the
attack on the network last yesterday.
EBo --