- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Syslog message time difference
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2000 01:31 PM
тАО09-14-2000 01:31 PM
Syslog message time difference
Below is a piece of my syslog:
Sep 14 15:34:10 u002 syslog: su : + tty?? root-ssi7
Sep 14 15:37:05 u002 syslog: su : + tty?? root-ssi7
Sep 14 14:58:29 u002 ftpd[13227]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 14:58:29 u002 ftpd[13227]: User francis: Login incorrect
Sep 14 14:58:29 u002 ftpd[13227]: PORT
Sep 14 15:28:29 u002 ftpd[14073]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 15:28:29 u002 ftpd[14073]: User francis: Login incorrect
Sep 14 15:28:29 u002 ftpd[14073]: PORT
Sep 14 16:57:59 u002 syslog: su : + tty?? root-ssi7
Sep 14 15:58:29 u002 ftpd[14673]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 15:58:29 u002 ftpd[14673]: User francis: Login incorrect
Sep 14 15:58:29 u002 ftpd[14673]: PORT
Sep 14 17:00:18 u002 syslog: su : + tty??root-ssi7
I am concerned about the su entries. The timestamp is wrong. It is exactly 1 hour ahead. I have an entry ( last one) which says 17:00 but it is barely 16:00!!! How can this happen?
My other question is:
I have this command in my .sh.history file for root:
vi +/francis passwd
What does this command do?
I know I did not issue this command. I do have my application vendor come in as root when he has to. I am just concerned what this command does.
Thanks
Sanjay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2000 05:59 PM
тАО09-14-2000 05:59 PM
Re: Syslog message time difference
From the looks of it, you should be very worried... First I would suggest that you take a loook at the following site:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
It would appear that your user francis is doing something less than honourable :) check your /etc/passwd file - he may have given himself a UID of 0 (ie equivalent to root) If you look at the PIDs of the ftpd, it looks like it is delaying logging.
What I would do is to user /var/adm/inetd.sec to block the suspicious IP address that is trying the ftp PORT command.
Next, you might want to look on your system for a trojan (check /var/spool/cron/crontabs ) for all files in the crontabs
Turn on verbose logging for ftpd (in your inetd.conf) do a man on ftpd
GET your installation media ready and backup your data. Verify that the data is valid and be prepared for Disaster recovery, if you find something less than decent.
BTW what timezone are you in? are you running ntp of some sort? is it possible that one of your users is changing the dates?
do a:
more /home/*/.sh_history
and look for any dubious actions. BTW bear in mind that if the system was indeed compromised, the culprit would have tried to clean up after...
Next, if you can get a machine on the same subnet on which to run ethereal or tcpdump, look at the traffic coming out/into the server... I would say use
netstat -a | grep LISTEN
to check for tcp ports that are open (in case there is trojan on your system)
most importantly, be prepared to kick into disaster recovery mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2000 07:33 PM
тАО09-14-2000 07:33 PM
Re: Syslog message time difference
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2000 08:44 PM
тАО09-14-2000 08:44 PM
Re: Syslog message time difference
This will do nothing more than open the passwd file (if in /etc) with the vi editor and place the curser at the first instance of the string "francis"
Maybe someone w/ superuser access went to modify this users account?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2000 06:21 AM
тАО09-15-2000 06:21 AM
Re: Syslog message time difference
As noted, the vi command indicates someone with root authority edited the passwd file. If it was not you, and if you do not share user management duties with anyone else, then I would check your passwd file very carefully. Do not check just the user francis -- more than one change may have been made.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2000 06:30 AM
тАО09-15-2000 06:30 AM
Re: Syslog message time difference
Thank you for your responses. I am not worried about the user francis. He is a trusted users and I can deactivate him whenever I wish. I am more concerned with the su entries. Their timestamp is wrong, in fact exactly one hour ahead of the HP clock. Actually, the timestamp on the ftp sessions is right. How can this happen?
I know that root is su'ing to ssi7 but there is no root user logged in at this time. I think that the application program ( ssi7) is doing this programmatically. Does this mean that this application ( ssi7) runs as root?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2000 02:32 AM
тАО09-18-2000 02:32 AM
Re: Syslog message time difference
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2000 03:52 AM
тАО09-18-2000 03:52 AM
Re: Syslog message time difference
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2000 04:42 AM
тАО09-18-2000 04:42 AM
Re: Syslog message time difference
What you may be finding, is if the TZ (Timezone) variable is not set, it will default to EST5EDT.
This may mean that the /etc/profile or .profile does not have TZ set for the user.
Timezone is also set in the kernel with
# set_parms timezone
If everything checks out on the system settings, another point of failure is with applications to use TZ. You may need to set TZ using a shell wrapper that sources
/etc/TIMEZONE.
Best Wishes,
Cheryl
351501
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2000 04:52 AM
тАО09-18-2000 04:52 AM
Re: Syslog message time difference
In keeping with Cheryl's post, you might also want to look at this recent thread:
http://my1.itrc.hp.com/cm/QuestionAnswer/1,1150,0x609e0559ff7cd4118fef0090279cd0f9,00.html
...JRF...