On Wed, 2005-10-12 at 07:37 +0200, Tomas Larsson wrote: > What does the entry > > A total of 1 sites probed the server > 192.138.xxx.xxx > > Mean, Is it something I should be worried over > > With best regards > > Tomas Larsson Logwatch uses a set of "bad thing" rules for each logfile in manages. The message you are seeing just means Logwatch saw something in your logs that matched one of these rule patterns. Most of the time I find Logwatch's concerns to be valid, after all there are plenty of script kiddies out there probing for vulnerable systems. But just because Logwatch is concerned and the attack is real does not mean you have been rooted, it just means that something happened that looked like an attack. Some of the things it looks for are Windows specific attacks. These are harmless to your Linux system, but it doesn't hurt to know who the bad guys are and what they're up to. If you're interested you could search your logfiles for the offending IP to see what they were up to. The actual Logwatch scripts are in /etc/log.d/scripts/. Have a look at them if you are interested in seeing what Logwatch is looking for. -- Brian Gaynor www.pmccorp.com FC4/Linux on DELL Inspiron 5160 3.0Ghz canis 14:05:37 up 2:15, 1 user, load average: 0.09, 0.10, 0.08
