OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: I've been hit with ksyslogd
From: Chris Jones (c.jonesICM-GROUP.COM)
Date: Fri Oct 13 2000 - 04:11:38 CDT

Hi

> to upgrade. This daemon is a little hard to find because of the naming

It's not hard to find at all.

-(rootshogun)-(/etc)- rpm -qfi /sbin/syslogd
Name : sysklogd Relocations: (not relocateable)
Version : 1.3.31 Vendor: Red Hat, Inc.
Release : 16 Build Date: Thu 03 Feb 2000
06:32:28 PM GMT
Install date: Wed 16 Aug 2000 10:10:10 PM BST Build Host:
porky.devel.redhat.com
....etc.

The two binaries it installs are:

/sbin/klogd
/sbin/syslogd

It places no binaries in /usr/sbin, it contains no files called ksyslogd and
it doesn't touch /etc/inittab.

> use RedHat/Mandrake anyway) and it is called both ksyslogd
> and sysklogd, depending on where you look.

I'm not familiar with Mandrake, but I'd like to know where abouts on RedHat
it is called ksyslogd.

> the maliing list archive) upgrade to the latest package and
> turn it back on.

Does Mandrake start it's kernel logging daemon from /etc/inittab? Or does it
use an rc.d script like most RedHat derived distros? Does it's package for
the kernel logging daemon put the binary in /usr/sbin, or /sbin? Just saying
"oh, that's the kernel logger, re-enable it" without checking the details is
asking for disaster. It could be that in this case it's not actually a crack
attempt - maybe some clueless admin at his place installed a package they
shouldn't have, but there is the possibility that it is a crack, so further
investigation is required. 

--
Chris Jones
Sysadmin
ICM Group

Anything I say is probably not the opinion
 of my employers, the spineless bastards.