Re: High load average and much suspicion

From: Joe Hamelin (joeat_private)
Date: Sat Apr 28 2001 - 11:28:33 PDT

Next message: Szilveszter Adam: "Re: High load average and much suspicion"

Previous message: Kyle Hofmann: "High load average and much suspicion"
In reply to: Kyle Hofmann: "High load average and much suspicion"
Next in thread: Szilveszter Adam: "Re: High load average and much suspicion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Are you sure it wasn't just a cron running locate.updatedb (or
whatever it's called in redhat)?  Check for cron jobs that may run at
that time.

-Joe

--
 ------------------------------------------------------------------
|     Joe Hamelin  <joeat_private>  Edmonds, Washington, US      |
|              Senior Network Engineer, Amazon.com                 |
 ------------------------------------------------------------------


On Fri, 27 Apr 2001, Kyle Hofmann wrote:

:Hi,
:
:My roommate and I run a Redhat 6.2 server.  Wednesday, at about fifteen
:minutes past midnight, our load average went from its usual 0.something to
:nearly 30, and stayed this way for about ten minutes.  By the time we got
:top running, the offending process or processes had terminated.
:
:Since neither of us were running anything more than ssh at the time, our
:initial suspicion was that someone had (probably accidentally) DoS'ed us.
:However, looking at our log files showed no excessive or suspicious activity.
:This led us to suspect that we may have been compromised, and that we had
:experienced the automated installation or operation of a rootkit that expected
:a modern, fast machine.  Since our server is an old 486, this would have
:caused the load average to spike.
:
:So we disconnected our machine from the Internet and started looking around
:for evidence of a breakin.  So far, we've looked for and failed to find:
:
:- Evidence of the Lion worm (to which we were vulnerable)
:- Non-devices in /dev
:- New suid or sgid programs
:- "..." or ".. " directories
:- Changed MD5 sums from those listed in the RPM database
:- Changes to /etc/passwd, /etc/shadow, and /etc/inetd.conf
:- Suspicious running processes
:
:This leads me to wonder if we were, in fact exploited at all.  However, we're
:both entirely inexperienced at forensic analysis, and so we're probably
:missing something.  Hence, we would like to solicit help: What other things
:should we look for?  And if we haven't been exploited, what could have caused
:the spike in our load average?
:
:Thanks in advance.
:
:--
:Kyle R. Hofmann <khofmannat_private>
:

Next message: Szilveszter Adam: "Re: High load average and much suspicion"
Previous message: Kyle Hofmann: "High load average and much suspicion"
In reply to: Kyle Hofmann: "High load average and much suspicion"
Next in thread: Szilveszter Adam: "Re: High load average and much suspicion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:41:50 PDT