Re: High load average and much suspicion

From: Joe Hamelin (joeat_private)
Date: Sat Apr 28 2001 - 11:28:33 PDT

  • Next message: Szilveszter Adam: "Re: High load average and much suspicion"

    Are you sure it wasn't just a cron running locate.updatedb (or
    whatever it's called in redhat)?  Check for cron jobs that may run at
    that time.
    
    -Joe
    
    --
     ------------------------------------------------------------------
    |     Joe Hamelin  <joeat_private>  Edmonds, Washington, US      |
    |              Senior Network Engineer, Amazon.com                 |
     ------------------------------------------------------------------
    
    
    On Fri, 27 Apr 2001, Kyle Hofmann wrote:
    
    :Hi,
    :
    :My roommate and I run a Redhat 6.2 server.  Wednesday, at about fifteen
    :minutes past midnight, our load average went from its usual 0.something to
    :nearly 30, and stayed this way for about ten minutes.  By the time we got
    :top running, the offending process or processes had terminated.
    :
    :Since neither of us were running anything more than ssh at the time, our
    :initial suspicion was that someone had (probably accidentally) DoS'ed us.
    :However, looking at our log files showed no excessive or suspicious activity.
    :This led us to suspect that we may have been compromised, and that we had
    :experienced the automated installation or operation of a rootkit that expected
    :a modern, fast machine.  Since our server is an old 486, this would have
    :caused the load average to spike.
    :
    :So we disconnected our machine from the Internet and started looking around
    :for evidence of a breakin.  So far, we've looked for and failed to find:
    :
    :- Evidence of the Lion worm (to which we were vulnerable)
    :- Non-devices in /dev
    :- New suid or sgid programs
    :- "..." or ".. " directories
    :- Changed MD5 sums from those listed in the RPM database
    :- Changes to /etc/passwd, /etc/shadow, and /etc/inetd.conf
    :- Suspicious running processes
    :
    :This leads me to wonder if we were, in fact exploited at all.  However, we're
    :both entirely inexperienced at forensic analysis, and so we're probably
    :missing something.  Hence, we would like to solicit help: What other things
    :should we look for?  And if we haven't been exploited, what could have caused
    :the spike in our load average?
    :
    :Thanks in advance.
    :
    :--
    :Kyle R. Hofmann <khofmannat_private>
    :
    



    This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:41:50 PDT