In article <WXocb.145402$mp.72651@rwcrnsc51.ops.asp.att.net >,
David wrote:
>> -rw-r----- 1 root root 0 Aug 31 04:40 secure.3
>> -rw-r----- 1 root root 3211 Aug 28 22:02 secure.4
>
> Anything in secure.4 by chance?
> All those zero'd files doesn't look good.

I disagree. The times are all 04:40's, so logrotate is working. Looks
like something happened to syslogd (or perhaps rc.syslog) such that it
won't restart. It is definitely possible that there was an innocent
goof-up here, and not a cracker. (I *do* agree that secure.4 is likely
to hold a clue; if nothing else it might narrow the time frame of
syslogd's demise.)

SuperDaemon must find out ASAP *why* syslogd is not running. Yes, do the
chkrootkit still, but don't assume you've been compromised.

That's good advice in general. Yes, when syslogd fails you should take
it seriously and regard it as a possible intrusion. The fact is, there
are thousands of scares for every real compromise. I've had some scares
too, and in each and every incident it turned out innocent (or rather, a
matter of sysadmin ineptitude.)

It sounded like SuperDaemon was running a tight ship: no open services,
possibly a good firewall. So far no objective reason to suspect a root
exploit. Is there any chance of a local or LAN attack? Any potentially
non-trustworthy users behind the firewall? Or, any exposed machine which
might have been a base for a behind-the-firewall attack against you?

I know you (SD) said you didn't "play" as root, but still, just a stray
keystroke could have killed your syslogd. At this point I suspect YOU as
the most likely culprit here.

But don't be embarrassed. Everybody messes up except for gods and liars
(and gods don't need computers.) It's important to follow through on a
thread like this. Let us know what you find out. Good luck.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply