reality check please...

Gontran plug-discuss@lists.PLUG.phoenix.az.us
Wed, 19 Sep 2001 08:58:02 -0700


* John (EBo) David (ebo@eagle.west.asu.edu) wrote:
> 
> I was updating an HTTPD code red log filter to also automatically report
> nimba and other attacks happening in my domain.  I just noticed a rather
> disturbing pattern in the dates/names.  
> 
> Here is the first coupld of lines in the script:
> 
> #!/bin/csh
> 
> setenv DATE_STR `date +%Y%m%d`
> 
> mv -f /var/log/httpd/access_log /var/log/httpd/access_log_${DATE_STR}
> (grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
> "129.219.") >&  /var/log/httpd/CR_access_${DATE_STR}
> (grep "default.ida" /var/log/httpd/access_log_${DATE_STR} | grep
> "149.169.") >>& /var/log/httpd/CR_access_${DATE_STR}
> ...
> 
> of a cron script that runs just after midnight every day.  I get the
> following date time stamps:
> 
> ...
> -rw-r--r--    1 root     root            0 Sep 10 00:15
> error_log_20010911
> -rw-r--r--    1 root     root         1472 Sep 12 03:01
> error_log_20010912
> -rw-r--r--    1 root     root        10269 Sep 17 12:17
> error_log_20010913
> -rw-r--r--    1 root     root            0 Sep 13 02:30
> error_log_20010914
> -rw-r--r--    1 root     root            0 Sep 14 00:15
> error_log_20010915
> -rw-r--r--    1 root     root            0 Sep 15 00:15
> error_log_20010916
> -rw-r--r--    1 root     root            0 Sep 16 00:15
> error_log_20010917
> -rw-r--r--    1 root     root       565771 Sep 19 06:16
> error_log_20010918
> -rw-r--r--    1 root     root            0 Sep 18 00:15
> error_log_20010919
> 
> Unless I am just having a brain fart, it appears that something/someone
> edited the 2001/09/13 log on the 17'th, and all of the dates seem to be
> off by a day.  Does anyone see something obvious, or doe is look like
> someone may be mucking with my logs?  ps: I am the only one that should
> have root, and I have had no reason to muck with the logs before the
> attack on the network last yesterday.
> 
>   EBo --

This looks suspicious.  Are your logs getting mucked about by logrotate or
somesuch?  Consider a 'brief' audit.

Goodluck
Gontran