Code:
Sep 26 01:07:36 ht41 NetworkManager: <info> DHCP daemon state is now 1 (starting) for interface eth0
Sep 26 01:07:40 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Sep 26 01:07:40 ht41 dhclient: DHCPOFFER of 192.168.10.81 from 192.168.10.7
Sep 26 01:07:40 ht41 dhclient: DHCPREQUEST of 192.168.10.81 on eth0 to 255.255.255.255 port 67
Sep 26 01:07:40 ht41 dhclient: DHCPACK of 192.168.10.81 from 192.168.10.7
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.10.81.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: New relevant interface eth0.IPv4 for mDNS.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Registering new address record for 192.168.10.81 on eth0.IPv4.
Sep 26 01:07:40 ht41 NetworkManager: <info> DHCP daemon state is now 2 (bound) for interface eth0
Sep 26 01:07:40 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Get) scheduled...
Sep 26 01:07:40 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Get) started...
Sep 26 01:07:40 ht41 NetworkManager: <info> Retrieved the following IP4 configuration from the DHCP daemon:
Sep 26 01:07:40 ht41 NetworkManager: <info> address 192.168.10.81
Sep 26 01:07:40 ht41 NetworkManager: <info> netmask 255.255.255.0
Sep 26 01:07:40 ht41 NetworkManager: <info> broadcast 192.168.10.255
Sep 26 01:07:40 ht41 NetworkManager: <info> gateway 192.168.10.7
Sep 26 01:07:40 ht41 NetworkManager: <info> nameserver 192.168.10.7
Sep 26 01:07:40 ht41 NetworkManager: <info> domain name 'xxnone'
Sep 26 01:07:40 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) scheduled...
Sep 26 01:07:40 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Get) complete.
Sep 26 01:07:40 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
Sep 26 01:07:40 ht41 dhclient: bound to 192.168.10.81 -- renewal in 58 seconds.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Withdrawing address record for 192.168.10.81 on eth0.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.10.81.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Interface eth0.IPv4 no longer relevant for mDNS.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Withdrawing address record for fe80::211:25ff:fe2d:29d2 on eth0.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.10.81.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: New relevant interface eth0.IPv4 for mDNS.
Sep 26 01:07:40 ht41 avahi-daemon[5057]: Registering new address record for 192.168.10.81 on eth0.IPv4.
Sep 26 01:07:41 ht41 NetworkManager: <info> Clearing nscd hosts cache.
Sep 26 01:07:41 ht41 NetworkManager: <WARN> nm_spawn_process(): nm_spawn_process('/usr/sbin/nscd -i hosts'): could not spawn process. (Failed to execute child process "/usr/sbin/nscd" (No such file or directory))
Sep 26 01:07:41 ht41 NetworkManager: <info> Activation (eth0) successful, device activated.
Sep 26 01:07:41 ht41 NetworkManager: <info> Activation (eth0) Finish handler scheduled.
Sep 26 01:07:41 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Sep 26 01:07:42 ht41 avahi-daemon[5057]: Registering new address record for fe80::211:25ff:fe2d:29d2 on eth0.*.
Sep 26 01:07:45 ht41 ntpdate[28601]: adjust time server 91.189.94.4 offset -0.298091 sec
Sep 26 01:08:38 ht41 dhclient: DHCPREQUEST of <null address> on eth0 to 192.168.10.7 port 67
Sep 26 01:08:38 ht41 dhclient: DHCPACK of 192.168.10.81 from 192.168.10.7
Sep 26 01:08:38 ht41 NetworkManager: <info> DHCP daemon state is now 3 (renew) for interface eth0
Sep 26 01:08:38 ht41 dhclient: bound to 192.168.10.81 -- renewal in 50 seconds.
Sep 26 01:09:05 ht41 rpc.statd[28979]: Version 1.1.2 Starting
Sep 26 01:09:09 ht41 NetworkManager: <debug> [1222384149.214441] nm_hal_device_added(): New device added (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial').
Sep 26 01:09:09 ht41 NetworkManager: <debug> [1222384149.817265] nm_hal_device_added(): New device added (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial_if0').
Sep 26 01:09:09 ht41 NetworkManager: <debug> [1222384149.921943] nm_hal_device_added(): New device added (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial_if0_logicaldev_input').
Sep 26 01:09:12 ht41 NetworkManager: <info> SWITCH: terminating current connection 'eth0' because it's no longer valid.
Sep 26 01:09:12 ht41 NetworkManager: <info> Deactivating device eth0.
Sep 26 01:09:12 ht41 dhclient: There is already a pid file /var/run/dhclient.eth0.pid with pid 28533
Sep 26 01:09:12 ht41 dhclient: killed old client process, removed PID file
Sep 26 01:09:12 ht41 dhclient: DHCPRELEASE on eth0 to 192.168.10.7 port 67
Sep 26 01:09:12 ht41 avahi-daemon[5057]: Withdrawing address record for 192.168.10.81 on eth0.
Sep 26 01:09:12 ht41 avahi-daemon[5057]: Leaving mDNS multicast group on interface eth0.IPv4 with address 192.168.10.81.
Sep 26 01:09:12 ht41 avahi-daemon[5057]: Interface eth0.IPv4 no longer relevant for mDNS.
Sep 26 01:09:13 ht41 avahi-daemon[5057]: Withdrawing address record for fe80::211:25ff:fe2d:29d2 on eth0.
Sep 26 01:09:13 ht41 NetworkManager: nm_device_is_802_3_ethernet: assertion `dev != NULL' failed
Sep 26 01:09:13 ht41 NetworkManager: nm_device_is_802_11_wireless: assertion `dev != NULL' failed
Sep 26 01:30:24 ht41 rpc.statd[28979]: Caught signal 15, un-registering and exiting.
Sep 26 01:30:29 ht41 rpc.statd[30614]: Version 1.1.2 Starting
Sep 26 01:30:29 ht41 rpc.statd[30614]: unable to register (statd, 1, udp).
Sep 26 01:31:05 ht41 NetworkManager: <debug> [1222385465.805798] nm_hal_device_removed(): Device removed (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial_if0_logicaldev_input').
Sep 26 01:31:05 ht41 NetworkManager: <debug> [1222385465.820040] nm_hal_device_removed(): Device removed (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial_if0').
Sep 26 01:31:05 ht41 NetworkManager: <debug> [1222385465.826053] nm_hal_device_removed(): Device removed (hal udi is '/org/freedesktop/Hal/devices/usb_device_5e3_1205_noserial').
Sep 26 01:34:17 ht41 NetworkManager: <info> Will activate wired connection 'eth0' because it now has a link.
Sep 26 01:34:17 ht41 NetworkManager: <info> SWITCH: no current connection, found better connection 'eth0'.
Sep 26 01:34:17 ht41 NetworkManager: <info> Will activate connection 'eth0'.
Sep 26 01:34:17 ht41 NetworkManager: <info> Device eth0 activation scheduled...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) started...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) started...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 2 of 5 (Device Configure) scheduled...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) complete.
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 2 of 5 (Device Configure) starting...
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 2 of 5 (Device Configure) successful.
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 3 of 5 (IP Configure Start) scheduled.
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 2 of 5 (Device Configure) complete.
Sep 26 01:34:17 ht41 NetworkManager: <info> Activation (eth0) Stage 3 of 5 (IP Configure Start) started...
Sep 26 01:34:18 ht41 NetworkManager: <info> Activation (eth0) Beginning DHCP transaction.
Sep 26 01:34:18 ht41 dhclient: There is already a pid file /var/run/dhclient.eth0.pid with pid 134519072
Sep 26 01:34:18 ht41 NetworkManager: <info> Activation (eth0) Stage 3 of 5 (IP Configure Start) complete.
Sep 26 01:34:18 ht41 NetworkManager: <info> DHCP daemon state is now 12 (successfully started) for interface eth0
Sep 26 01:34:18 ht41 avahi-daemon[5057]: Registering new address record for fe80::211:25ff:fe2d:29d2 on eth0.*.
Sep 26 01:34:19 ht41 NetworkManager: <info> DHCP daemon state is now 1 (starting) for interface eth0
Sep 26 01:34:21 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
Sep 26 01:34:27 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7
Sep 26 01:34:34 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
Sep 26 01:34:42 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21
Sep 26 01:35:03 ht41 dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 19
Sep 26 01:35:22 ht41 dhclient: No DHCPOFFERS received.
Sep 26 01:35:22 ht41 avahi-autoipd(eth0)[31049]: Found user 'avahi-autoipd' (UID 105) and group 'avahi-autoipd' (GID 113).
Sep 26 01:35:22 ht41 avahi-autoipd(eth0)[31049]: Successfully called chroot().
Sep 26 01:35:22 ht41 avahi-autoipd(eth0)[31049]: Successfully dropped root privileges.
Sep 26 01:35:22 ht41 avahi-autoipd(eth0)[31049]: Starting with address 169.254.5.161
Sep 26 01:35:27 ht41 avahi-autoipd(eth0)[31049]: Callout BIND, address 169.254.5.161 on interface eth0
Sep 26 01:35:27 ht41 avahi-daemon[5057]: Joining mDNS multicast group on interface eth0.IPv4 with address 169.254.5.161.
Sep 26 01:35:27 ht41 avahi-daemon[5057]: New relevant interface eth0.IPv4 for mDNS.
Sep 26 01:35:27 ht41 avahi-daemon[5057]: Registering new address record for 169.254.5.161 on eth0.IPv4.
Sep 26 01:35:31 ht41 avahi-autoipd(eth0)[31049]: Successfully claimed IP address 169.254.5.161
Sep 26 01:35:32 ht41 NetworkManager: <info> DHCP daemon state is now 9 (fail) for interface eth0
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Timeout) scheduled...
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Timeout) started...
Sep 26 01:35:32 ht41 NetworkManager: <info> No DHCP reply received. Automatically obtaining IP via Zeroconf.
Sep 26 01:35:32 ht41 NetworkManager: <info> avahi-autoipd running on eth0, assuming IPv4LL address
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) scheduled...
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP Configure Timeout) complete.
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
Sep 26 01:35:32 ht41 NetworkManager: <info> not touching eth0 configuration, was configured externally
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) successful, device activated.
Sep 26 01:35:32 ht41 NetworkManager: <info> DHCP daemon state is now 14 (normal exit) for interface eth0
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Finish handler scheduled.
Sep 26 01:35:32 ht41 NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Sep 26 01:35:37 ht41 avahi-autoipd(eth0)[31049]: A routable address has been configured.
Sep 26 01:35:37 ht41 avahi-autoipd(eth0)[31049]: Callout UNBIND, address 169.254.5.161 on interface eth0
Sep 26 01:35:37 ht41 avahi-daemon[5057]: Leaving mDNS multicast group on interface eth0.IPv4 with address 169.254.5.161.
Sep 26 01:35:37 ht41 avahi-daemon[5057]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.10.33.
Sep 26 01:35:37 ht41 avahi-daemon[5057]: Registering new address record for 192.168.10.33 on eth0.IPv4.
Sep 26 01:35:37 ht41 avahi-daemon[5057]: Withdrawing address record for 169.254.5.161 on eth0.
Sep 26 01:35:52 ht41 ntpdate[31094]: can't find host ntp.ubuntu.com
Sep 26 01:35:52 ht41 ntpdate[31094]: no servers can be used, exiting
Ossec log:
Code:
** Alert 1222554500.0: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/dhclient.eth0.pid' present on /dev. Possible hidden file.
** Alert 1222554500.268: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/rpc.statd.pid' present on /dev. Possible hidden file.
** Alert 1222554500.534: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/sm-notify.pid' present on /dev. Possible hidden file.
** Alert 1222554500.800: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/portmap_mapping' present on /dev. Possible hidden file.
** Alert 1222554500.1068: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/sudo/fefekh/1' present on /dev. Possible hidden file.
** Alert 1222554500.1335: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/sudo/fefekh/0' present on /dev. Possible hidden file.
** Alert 1222554500.1602: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/sudo/fefekh/unknown' present on /dev. Possible hidden file.
** Alert 1222554500.1875: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/console/fefekh' present on /dev. Possible hidden file.
** Alert 1222554500.2143: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/crond.reboot' present on /dev. Possible hidden file.
** Alert 1222554500.2409: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/crond.pid' present on /dev. Possible hidden file.
** Alert 1222554500.2672: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/gdm.pid' present on /dev. Possible hidden file.
** Alert 1222554500.2933: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/console-kit-daemon.pid' present on /dev. Possible hidden file.
** Alert 1222554500.3209: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/hald/acl-list' present on /dev. Possible hidden file.
** Alert 1222554500.3476: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/hald/hald.pid' present on /dev. Possible hidden file.
** Alert 1222554500.3743: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/dhcdbd.pid' present on /dev. Possible hidden file.
** Alert 1222554500.4007: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/hotkey-setup' present on /dev. Possible hidden file.
** Alert 1222554500.4273: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/cups/printcap' present on /dev. Possible hidden file.
** Alert 1222554500.4540: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/avahi-daemon/checked_nameservers' present on /dev. Possible hidden file.
** Alert 1222554500.4826: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/avahi-daemon/pid' present on /dev. Possible hidden file.
** Alert 1222554500.5096: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/system-tools-backends.pid' present on /dev. Possible hidden file.
** Alert 1222554500.5375: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/NetworkManager/NetworkManagerDispatcher.pid' present on /dev. Possible hidden file.
** Alert 1222554500.5672: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/NetworkManager/NetworkManager.pid' present on /dev. Possible hidden file.
** Alert 1222554500.5959: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/dbus/pid' present on /dev. Possible hidden file.
** Alert 1222554500.6221: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/klogd/klogd.pid' present on /dev. Possible hidden file.
** Alert 1222554500.6490: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/klogd/kmsgpipe.pid' present on /dev. Possible hidden file.
** Alert 1222554500.6762: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/syslogd.pid' present on /dev. Possible hidden file.
** Alert 1222554500.7027: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/PolicyKit/user-fefekh.auths' present on /dev. Possible hidden file.
** Alert 1222554500.7308: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/motd' present on /dev. Possible hidden file.
** Alert 1222554500.7566: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/utmp' present on /dev. Possible hidden file.
** Alert 1222554500.7824: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/network/ifstate' present on /dev. Possible hidden file.
** Alert 1222554500.8093: mail - ossec,rootcheck,
2008 Sep 28 00:28:20 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
File '/dev/shm/var.run/sendsigs.omit' present on /dev. Possible hidden file.
** Alert 1222554996.8360: mail - ossec,rootcheck,
2008 Sep 28 00:36:36 ht41->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Port '953'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
** Alert 1222556559.8627: mail - syslog,errors,
2008 Sep 28 01:02:39 ht41->/var/log/syslog
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Sep 28 01:02:38 ht41 NetworkManager: nm_device_is_802_3_ethernet: assertion `dev != NULL' failed
** Alert 1222556559.8912: mail - syslog,errors,
2008 Sep 28 01:02:39 ht41->/var/log/syslog
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Sep 28 01:02:38 ht41 NetworkManager: nm_device_is_802_11_wireless: assertion `dev != NULL' failed
** Alert 1222557761.9198: - syslog,sudo
2008 Sep 28 01:22:41 ht41->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
Src IP: (none)
User: fefekh
Sep 28 01:22:41 ht41 sudo: fefekh : TTY=pts/0 ; PWD=/home/fefekh ; USER=root ; COMMAND=/bin/su
** Alert 1222557761.9468: - pam,syslog,authentication_success,
2008 Sep 28 01:22:41 ht41->/var/log/auth.log
Rule: 5501 (level 3) -> 'Login session opened.'
Src IP: (none)
User: (none)
Sep 28 01:22:41 ht41 sudo: pam_unix(sudo:session): session opened for user root by fefekh(uid=0)
** Alert 1222557761.9750: - pam,syslog,
2008 Sep 28 01:22:41 ht41->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Src IP: (none)
User: (none)
Sep 28 01:22:41 ht41 sudo: pam_unix(sudo:session): session closed for user root
** Alert 1222557761.9992: - syslog, su,authentication_success,
2008 Sep 28 01:22:41 ht41->/var/log/auth.log
Rule: 5303 (level 3) -> 'User successfully changed UID to root.'
Src IP: (none)
User: (none)
Sep 28 01:22:41 ht41 su[27516]: + pts/0 root:root
** Alert 1222557761.10244: - syslog, su,authentication_success,
2008 Sep 28 01:22:41 ht41->/var/log/auth.log
Rule: 5303 (level 3) -> 'User successfully changed UID to root.'
Src IP: (none)
User: (none)
Sep 28 01:22:41 ht41 su[27516]: pam_unix(su:session): session opened for user root by fefekh(uid=0)
Bookmarks