Re: Help with tracking down intrusion record logs
- From: gartmann@xxxxxxxxxxxxxxxxxxxxxxxx (Christoph Gartmann)
- Date: Wed, 22 Aug 2007 08:16:15 +0000 (UTC)
In article <1187767904.199876.204390@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, mcbill20@xxxxxxxxx writes:
A few hours ago I noticed my VMS console going crazy with intrusion
messages. Someone was trying to breakin via FTP. The console messages
of course had the date/time, program (FTP), username ("administrato"),
and the remote host. When I did a "show intru" it showed some 6400
attempts.
I did a whois on the remote host and found it's a Dallas-based
internet hosting service using Linux servers. I sent an e-mail to the
network admin about the problem and received a request for logs so
they could take action.
The problem is that the breakin attempts do not show up in
operator.log and now that it's several hours later I can't even do a
"show intrusion". Where are these logs kept?
In the security audit journal. See ANALYZE/AUDIT.
Regards,
Christoph Gartmann
--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
.
- Follow-Ups:
- Re: Help with tracking down intrusion record logs
- From: Larry Kilgallen
- Re: Help with tracking down intrusion record logs
- References:
- Help with tracking down intrusion record logs
- From: mcbill20
- Help with tracking down intrusion record logs
- Prev by Date: Re: VMS 8.3 and TCPIP X.Y: the killer application
- Next by Date: RE: VMS 8.3 and TCPIP X.Y: the killer application
- Previous by thread: Help with tracking down intrusion record logs
- Next by thread: Re: Help with tracking down intrusion record logs
- Index(es):
Relevant Pages
|
