This is the original request for help. Doesn't seem to have made it to
the list. I don't have any indication in /tmp in fact no files there at
all!? I do believe I have chrooted jail on the box in the /home/...
subdir. I see some infected M$ hitting the box and some malformed
headers hitting the box. How can one tell the exact version of openssl
running? All I get is the version number but not the letter.

> -----Original Message-----
> From: Brian Densmore 
> Sent: Wednesday, September 18, 2002 4:31 PM
> To: kclug@kclug.org
> Subject: Help! I'm being attacked!
> 
> 
> Just curious. Someone is trying really hard to break into my 
> server using a weakness in the ssl protocol. I don't think 
> they have been successful. Yet. Anyone know what I should be 
> looking for, specifically in a what logs, etc? I did notice a 
> sighup in the log file on a day when I couldn't have done it. 
> any clue on what could cause this. Is this only something 
> someone could do if they were on the box? 
> A sample of the messages in question.
> 
> [Sun Sep  8 04:02:01 2002] [notice] SIGHUP received.  
> Attempting to restart
> [Sun Sep  8 04:02:02 2002] [notice] SIGHUP received.  
> Attempting to restart
> [Fri Sep 13 17:40:48 2002] [notice] child pid 4733 exit 
> signal Segmentation fault (11)
> [Sun Sep 15 04:02:00 2002] [notice] SIGHUP received.  
> Attempting to restart
> [Sun Sep 15 04:02:01 2002] [notice] SIGHUP received.  
> Attempting to restart
> [Tue Sep 17 17:51:20 2002] [notice] child pid 2333 exit 
> signal Segmentation fault (11)
> 
> Thanks,
>  Brian
>