by In all my years of UNIX sys admin experience I have never seen something
so bizarre as this happen, first seen this morning on my Red Hat 5.2
Linux system:
- New logins are no longer being reported with 'w', 'who', and 'last'
commands. Entries are being made to utmp/wtmp but I haven't verified if
they're correct. Rotating/removing these files doesn't help either.
- /var/log/secure is no longer being logged to (scary).
- The system date as reported by 'date' and last mod dates on new files
on all filesystems differ by exactly 5 hours, the file being 5 hours in
the future. Maybe this has something to do with EST timezone?
- The MAIL env var is being set to /spool/mail/login instead of the
proper /var/spool/mail/login. This causes mail apps to fail to find the
users incoming mail spool. Resetting this variable manually fixes
things.
Things I've tried doing to fix the problems:
- Rebooting the system (but not power cycling, it's remote).
- Messing with wtmp/utmp to manually reset their status.
- Moving the latest /var/log/secure file and restarting syslogd. The
entry for authpriv.* remains in /etc/syslogd.conf and other syslog files
are still working file.
- Resetting the date manually (timezone is correct).
The only things that make be believe that this might be a security
attack is the fact that /var/log/secure no longer works AT ALL and that
I can't get a traditional list of current logins any more. The other
things I could pass as a fluke or bug in the system. But I have found
nothing else out of the ordinary. The future file date issue is
terribly inconvenient, as well as the fact that I can't get a list of
current logins.
I found nothing on the Red Hat web site regarding these specific
issues. I did find a new syslogd there, but the fixes don't seem to
address specificically the problems with no security logs.
Any ideas? I'm at the edge of my wit...
Doug