Hi, a default installation of apache on debian causes a reload every sunday as part of the log rotation. See /etc/logrotate.d/apache2. This behavior matches your description.
I'm not familiar with the other services you mentioned, but I wouldn't be surprised if similar things happened here. Check your cron jobs and the log files - If this happens every sunday, it's probably perfectly normal. I don't think that the mentioned updates have triggered a service reload. Best regards Holger Am Montag 07 Juni 2010, 18:51:37 schrieb Andrew Green: > Hi, > > I'm running an up-to-date Lenny server that serves some innocuous Web > pages and is administered by remote ssh. On Friday, after reading > DSA-2054-1, y did an update and dist-upgrade, which updated some > packages, added some, and removed, I believe, some others, (I > unfortunately did not make a detailed note of what happened. From the > contents of my /var/cache/apt archive, it seems that packages that were > either updated or newly installed are: bind9-host, dnsutils, libbind9, > libisccc50, libisccfg50, liblwres50, libdns55 and libisc52.) > > A little over a day and a half later, I got a message from samhain (the > host-based intrusion detection system I have installed) saying that its > configuration had been reloaded. I noticed that at the same time, apache > got a SIGUSR1 and did a graceful resetart. And according to the ps > command, snort (network-based intrusion detection) was restarted at that > time, too. I did nothing specifically to cause any of this. > > Is it possible that the restart/refresh of these services was caused in > some way by the upgrade? Something to do with some a dns cache, or > something like that? I'd be very surprised to find the machine had been > compromised, since it was completely up-to-date, does not allow > password-based ssh logins, has no other user accounts, is locked in a > room to which only two people have a key, runs minimal services, and is > surrounded by Windows machines that I assume are much more vulnerable. > And everything seems to be running normally now. But if I can't find an > explanation for these service refreshes, then I guess I'll have to treat > it as compromised. > > Any ideas about what may have happened would be greatly appreciated. > Also, I hope this is the right place to post this question; if not, > please do let me know. Many thanks in advance, greetings, > Andrew -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
