Are you sure it wasn't just a cron running locate.updatedb (or whatever it's called in redhat)? Check for cron jobs that may run at that time. -Joe -- ------------------------------------------------------------------ | Joe Hamelin <joeat_private> Edmonds, Washington, US | | Senior Network Engineer, Amazon.com | ------------------------------------------------------------------ On Fri, 27 Apr 2001, Kyle Hofmann wrote: :Hi, : :My roommate and I run a Redhat 6.2 server. Wednesday, at about fifteen :minutes past midnight, our load average went from its usual 0.something to :nearly 30, and stayed this way for about ten minutes. By the time we got :top running, the offending process or processes had terminated. : :Since neither of us were running anything more than ssh at the time, our :initial suspicion was that someone had (probably accidentally) DoS'ed us. :However, looking at our log files showed no excessive or suspicious activity. :This led us to suspect that we may have been compromised, and that we had :experienced the automated installation or operation of a rootkit that expected :a modern, fast machine. Since our server is an old 486, this would have :caused the load average to spike. : :So we disconnected our machine from the Internet and started looking around :for evidence of a breakin. So far, we've looked for and failed to find: : :- Evidence of the Lion worm (to which we were vulnerable) :- Non-devices in /dev :- New suid or sgid programs :- "..." or ".. " directories :- Changed MD5 sums from those listed in the RPM database :- Changes to /etc/passwd, /etc/shadow, and /etc/inetd.conf :- Suspicious running processes : :This leads me to wonder if we were, in fact exploited at all. However, we're :both entirely inexperienced at forensic analysis, and so we're probably :missing something. Hence, we would like to solicit help: What other things :should we look for? And if we haven't been exploited, what could have caused :the spike in our load average? : :Thanks in advance. : :-- :Kyle R. Hofmann <khofmannat_private> :
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:41:50 PDT