[Talk] break-in... anyone read chink?

Terry Richards talk@flux.org
Fri, 02 Nov 2007 02:06:13 -0400 

>This is, from the
>looks of it, a combined log which records all error and non error
>access as well as referrer and browser strings. 
>  
>

hmmm, i think errors go to another file

>  
>
>Was this the only server that crashed at the time?  What does the
>syslog say, if anything?
>  
>
lots of stuff like so:

Nov  1 15:41:37 mm snort[3479]: database: mysql_error: MySQL server has 
gone away SQL=ROLLBACK
Nov  1 16:05:52 mm syslog-ng[2522]: STATS: dropped 0
Nov  1 16:07:17 mm snort[3479]: database: mysql_error: MySQL server has 
gone away SQL=BEGIN
Nov  1 16:07:17 mm snort[3479]: database: mysql_error: MySQL server has 
gone away

i obviously need to check mysql but what is the STATS:dropped 0 ?

i got it, in the file syslog.conf i changed
options { chain_hostnames(off); sync(0); stats(3600); };
to
options { chain_hostnames(off); sync(0); stats(0); };


here is a big gap between entries:

Oct 12 14:35:42 mm snort[3470]: database: mysql_error: MySQL server has 
gone away SQL=UPDATE sensor    SET last_cid = 223541  WHERE sid = 1
Oct 12 14:35:42 mm snort[3470]: Snort exiting
Oct 12 14:35:49 mm sshd[3147]: Received signal 15; terminating.
Oct 12 14:36:03 mm syslog-ng[2522]: syslog-ng version 1.6.11 going down
Oct 22 17:03:55 mm syslog-ng[2522]: syslog-ng version 1.6.11 starting
Oct 22 17:03:55 mm syslog-ng[2522]: Changing permissions on special file 
/dev/tty12
Oct 22 17:03:55 mm syslog-ng[2522]: Changing permissions on special file 
/dev/tty12
Oct 22 17:04:09 mm sshd[3147]: Server listening on 0.0.0.0 port 22.
Oct 21 21:51:46 mm rsyncd[3416]: rsyncd version 2.6.9 starting, 
listening on port 873
Oct 21 21:51:46 mm rsyncd[3416]: bind() failed: Cannot assign requested 
address (address-family 2)
Oct 21 21:51:46 mm rsyncd[3416]: unable to bind any inbound sockets on 
port 873
Oct 21 21:51:46 mm rsyncd[3416]: rsync error: error in socket IO (code 
10) at socket.c(477) [receiver=2.6.9]
Oct 21 21:51:47 mm snort[3478]: Var 'any_ADDRESS' defined, value len = 
15 chars
Oct 21 21:51:47 mm snort[3478]: , value = 0.0.0.0/0.0.0.0


the order is funny too, notice oct 22 comes before the 21st ??
i may have shutdown the server on oct 12 as i knew it wasn't working but 
not when i left sept 14:

....
Sep 16 19:25:43 mm syslog-ng[2538]: STATS: dropped 0
Sep 16 20:25:56 mm syslog-ng[2538]: STATS: dropped 0
Oct  6 05:19:39 mm syslog-ng[2625]: syslog-ng version 1.6.11 starting
Oct  6 05:19:39 mm syslog-ng[2625]: Changing permissions on special file 
/dev/tty12
Oct  6 05:19:39 mm syslog-ng[2625]: Changing permissions on special file 
/dev/tty12
Oct  6 05:19:49 mm rc-scripts: Strange, the socket file already exist in 
"/var/run/mysqld/mysqld.sock"
Oct  6 05:19:49 mm rc-scripts: it will be removed now and re-created by 
the MySQL server
Oct  6 05:19:49 mm rc-scripts: BUT please make your checks.Oct  6 
05:19:54 mm sshd[3263]: Server listening on 0.0.0.0 port 22.
Oct  6 05:19:57 mm rc-scripts: Apache2 has detected a syntax error in 
your configuration files:



/|\