Hi, I'm running an up-to-date Lenny server that serves some innocuous Web pages and is administered by remote ssh. On Friday, after reading DSA-2054-1, y did an update and dist-upgrade, which updated some packages, added some, and removed, I believe, some others, (I unfortunately did not make a detailed note of what happened. From the contents of my /var/cache/apt archive, it seems that packages that were either updated or newly installed are: bind9-host, dnsutils, libbind9, libisccc50, libisccfg50, liblwres50, libdns55 and libisc52.)
A little over a day and a half later, I got a message from samhain (the host-based intrusion detection system I have installed) saying that its configuration had been reloaded. I noticed that at the same time, apache got a SIGUSR1 and did a graceful resetart. And according to the ps command, snort (network-based intrusion detection) was restarted at that time, too. I did nothing specifically to cause any of this. Is it possible that the restart/refresh of these services was caused in some way by the upgrade? Something to do with some a dns cache, or something like that? I'd be very surprised to find the machine had been compromised, since it was completely up-to-date, does not allow password-based ssh logins, has no other user accounts, is locked in a room to which only two people have a key, runs minimal services, and is surrounded by Windows machines that I assume are much more vulnerable. And everything seems to be running normally now. But if I can't find an explanation for these service refreshes, then I guess I'll have to treat it as compromised. Any ideas about what may have happened would be greatly appreciated. Also, I hope this is the right place to post this question; if not, please do let me know. Many thanks in advance, greetings, Andrew
