my syslog is hacked, please help!

[capitano]

Somebody hacked into my linux 7.1 machine. They didn't do much damage, aside from deleting my log files.
HOwever, all the syslog messages are now piped to the console, and I get log messages streaming across my machine. They weren't getting put into /var/log/messages like normal.

I looked at /etc/syslog.conf and made sure this line was:
*.info;mail.none;authpriv.none;cron.none /var/log/messages

No other rules in syslog.conf say to point messages to the console, however I'm still getting streaming to the console.

Does anybody know what other config files could be causing this?

Thanks,
Bryan

 

[ifincham]

Hi,

Did you restart the syslog ?

# /etc/rc.d/init.d/syslog restart

The default config /etc/syslog.conf should look like :

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*/dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none/var/log/messages

# The authpriv file has restricted access.
authpriv.*/var/log/secure

# Log all the mail messages in one place.
mail.*/var/log/maillog


# Log cron stuff
cron.*/var/log/cron

# Everybody gets emergency messages
*.emerg*

# Save news errors of level crit and higher in a special file.
uucp,news.crit/var/log/spooler

# Save boot messages also to boot.log
local7.*/var/log/boot.log


I'd suggest you run 'chkrootkit' to see if any binaries have been changed -->

http://www.chkrootkit.org/

. Also, you might want to reinstall the sysklogd rpm using the --replacepkgs option.

Hope this helps