Complete mess in my /var/log directory!

lyecdevf · 05-24-2009, 08:10 AM

I have recentlly looked at my /var/log direcotory. What I found upset me so I would like to ask

some one to help me understand this mess.

I am using debian lenny at the moment and I have had it for a few months now. I installed various

security tools on it including tcpspy.

So when I looked at the tcpspy logs I got very much confused. I have below written down what

logs I have.

daemon.log#1 May 10-17

daemon.log#3 Apr 26-May 3 07:43:10

Daemon.log#4 Apr 20 10:20:13-Apr 26 08:04:35

daemon.log#5 Apr 14 10:02:28-Apr 20 10:19:56

syslog.log#1 May 18 08:00:36-May 19 07:42:31

syslog.log#2 May 17 08:02:18-May 18 08:00:36

syslog.log#3 May 16 07:52:59-May 17 08:02:15

syslog.log#4 May 15 07:43:13-May 16 07:52:59

syslog.log#6 May 13 08:02:01-May 14 07:54:45

syslog.log#7 May 12 08:00:55-May 13 08:02:01

For some reason the logs of tcp spy are saved in two differentlly named files. The file called

daemon.log have some logs ranging from May 10-17, Apr26-May3, Apr20-26 and Apr 14-20 So they cover

the time from Apr 14-May 3 but than there is a gap between may 3 and may 10 which is a whole week

and I do not remember shuting down the comp that time although it is possible that it was offline.

That the file called syslog.log has tcpspy logs from May 12-19. There is actually some overlap between

the daemon.log and the syslog.log.

My question is where are the other logs? I am missing logs from before apr 14.

Code:

Apr 29 16:15:31 debian sm-mta[4093]: n3TE5F0Z024103: SYSERR(root): Cannot exec /usr/sbin/sensible-mda: No such file or directory

Apr 29 16:21:11 debian sm-msp-queue[4145]: unable to qualify my own domain name (debian) -- using short name

Apr 29 16:25:16 debian sm-mta[4152]: n3TF5Fjn025679: SYSERR(root): putbody: write error: Broken pipe

Apr 29 17:02:13 debian sendmail[5465]: My unqualified host name (debian) unknown; sleeping for retry

Apr 29 17:03:14 debian sendmail[5465]: unable to qualify my own domain name (debian) -- using short nam

May 17 08:06:36 debian sm-mta[12944]: n4HCkZee012604: SYSERR(root): hash map "Alias0": missing map file /etc/mail/aliases.db: No such file or directory<22>May 17 08:06:48 sm-mta[12944]: n4CD4lWY002752: n4HD6Zee012944: return to sender: Cannot send message for 5 days

--WARN-- [acc006w] Login ID gdm's home directory (/var/lib/gdm) has group `gdm' write access.

--WARN-- [acc021w] Login ID honeyd appears to be a dormant account. 

--WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group `mail' and world write access. 

--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.

--WARN-- [cron004w] Root crontab does not exist 

--WARN-- [cron005w] Use of cron is not restricted

# Checking device permissions...

--WARN-- [dev003w] The directory /dev/bsg resides in a device directory. 

--FAIL-- [dev002f] /dev/log has world permissions 

--WARN-- [dev003w] File /dev/sndstat is a regular file in a device directory.

# Performing check of embedded pathnames...

--WARN-- [embed001w] Path `/etc/mail/Makefile' contains `/etc/mail' which is not owned by root (owned by smmta). 

         Embedded references in: /etc/init.d/sendmail

--WARN-- [embed001w] Path `/etc/mail/tls/starttls.m4' contains `/etc/mail' which is not owned by root (owned by smmta). 

         Embedded references in: /etc/mail/Makefile->/etc/init.d/sendmail

--WARN-- [embed001w] Path `/etc/mail/tls/starttls.m4' contains `/etc/mail/tls' which is not owned by root (owned by smmta). 

         Embedded references in: /etc/mail/Makefile->/etc/init.d/sendmail

# Performing common access checks for root...

--FAIL-- [netw020f] There is no /etc/ftpusers file. 

# Checking listening processes 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi. 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi. 

--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface. 

--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface. 

--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd. 

# Checking listening processes 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi. 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi. 

--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface. 

--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface. 

--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd. 

# Checking listening processes 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi. 

--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi. 

--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface. 

--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface. 

--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd. 

--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd. 

# Performing check of passwd files...

# Checking entries from /etc/passwd.

--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (debian-tor) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (games) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (list) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (man) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (mupi) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (news) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell. 

--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). 

--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell. 

--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell. 

--WARN-- [pass012w] Home directory /var/lib/sendmail exists multiple times (2) in /etc/passwd. 

--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r). 

# Checking running processes 

--FAIL-- [misc020f] The process 'syslogd' has not been found running in the processes table. 

--FAIL-- [misc020f] The process 'klogd' has not been found running in the processes table.

# Performing check of 'services' ...

# Checking services from /etc/services.

--WARN-- [inet003w] The port for service sieve is also assigned to service cisco-sccp. 

--WARN-- [inet003w] The port for service ndtp is also assigned to service pipe_server. 

--WARN-- [inet003w] The port for service ndtp is also assigned to service search. 

--WARN-- [inet003w] The port for service postgres is also assigned to service postgresql. 

--WARN-- [inet003w] The port for service postgres is also assigned to service postgresql. 

--WARN-- [inet003w] The port for service sane is also assigned to service sane-port. 

--WARN-- [inet003w] The port for service webcache is also assigned to service http-alt. 

--WARN-- [inet003w] The port for service webcache is also assigned to service http-alt. 

# Performing system specific checks...

# Performing checks for Linux/2...



# Checking for single user-mode password...



# Checking boot loader file permissions...

--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group permissions. Should be 0600 

--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world permissions. Should be 0600 

--WARN-- [boot06] The Grub bootloader does not have a password configured. 



# Checking for vulnerabilities in inittab configuration...

--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in runlevels 12345 



# Checking for correct umask settings for init scripts...

--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS 



# Checking Logins not used on the system ...



# Checking network configuration

--WARN-- [lin012w] The system accepts ICMP redirection messages 

--FAIL-- [lin013f] The system is not protected against Syn flooding attacks 

--FAIL-- [lin014f] The system permits the transmission of IP packets with invalid addresses 

--FAIL-- [lin016f] The system permits source routing from incoming packets 

--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets 

--FAIL-- [lin019f] The system does not have any local firewall rules configured 



# Verifying system specific password checks...



# Checking OS release...



# Checking installed packages vs Debian Security Advisories...



# Checking md5sums of installed files



# Checking installed files against packages...

--WARN-- [lin001w] File `/lib/init/rw/.ramfs' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.dep' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.pcimap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.inputmap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.isapnpmap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.alias' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ccwmap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ieee1394map' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ofmap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.seriomap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.symbols' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.usbmap' does not belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.26-2-686/modules.dep' does not belong to any package.

Here are some common problems that were reported. I am at the moment googling each one of them but I feel so overwhelemed. Could you point out which ones are the real security risks and the ones I should look more closely.

You may think this thread is a complete mess too and it probably is. Help me make sense of all this! :o

Member Login