On Fri, Apr 27, 2001 at 02:36:55PM -0700, Kyle Hofmann wrote: > Hi, > > My roommate and I run a Redhat 6.2 server. Wednesday, at about fifteen > minutes past midnight, our load average went from its usual 0.something to > nearly 30, and stayed this way for about ten minutes. By the time we got > top running, the offending process or processes had terminated. <...> The direction of your investigation is good, but I hope you used some trusted basis for it... like a trusted floppy or CD-ROM and actually using the system tools from there. If you indeed have been compromised, standard system tools on the system may and likely will lie to you... and while you are at it, patch all those security holes. No need to be exposed to known vulnerabilities... also, don't use the RPM database on the system itself to compare sums to, rather do it to some trusted source like there seems to be an option to do it over the network or to a CD-ROM (again):-) If you set up logging network connections appropriately, it can also help you somewhat. Best of luck and I hope you find the culprit one way or the other. P.S.: Of course there can be legitimate reasons for the load spike, but you were at the machine at that time, not me:-)... -- Regards: Szilveszter ADAM Szeged University Szeged Hungary
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 12:03:57 PDT