Hi, My roommate and I run a Redhat 6.2 server. Wednesday, at about fifteen minutes past midnight, our load average went from its usual 0.something to nearly 30, and stayed this way for about ten minutes. By the time we got top running, the offending process or processes had terminated. Since neither of us were running anything more than ssh at the time, our initial suspicion was that someone had (probably accidentally) DoS'ed us. However, looking at our log files showed no excessive or suspicious activity. This led us to suspect that we may have been compromised, and that we had experienced the automated installation or operation of a rootkit that expected a modern, fast machine. Since our server is an old 486, this would have caused the load average to spike. So we disconnected our machine from the Internet and started looking around for evidence of a breakin. So far, we've looked for and failed to find: - Evidence of the Lion worm (to which we were vulnerable) - Non-devices in /dev - New suid or sgid programs - "..." or ".. " directories - Changed MD5 sums from those listed in the RPM database - Changes to /etc/passwd, /etc/shadow, and /etc/inetd.conf - Suspicious running processes This leads me to wonder if we were, in fact exploited at all. However, we're both entirely inexperienced at forensic analysis, and so we're probably missing something. Hence, we would like to solicit help: What other things should we look for? And if we haven't been exploited, what could have caused the spike in our load average? Thanks in advance. -- Kyle R. Hofmann <khofmannat_private>
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:15:53 PDT