Hi, Thank you Holger--that was it! (Since I just installed samhain at the beginning of last week, this past Sunday was first time I'd seen this behaviour.)
Many thanks again, greetings, Andrew El lun, 07-06-2010 a las 19:48 +0200, Holger Schletz escribió: > Hi, > > a default installation of apache on debian causes a reload every sunday as > part of the log rotation. See /etc/logrotate.d/apache2. This behavior matches > your description. > > I'm not familiar with the other services you mentioned, but I wouldn't be > surprised if similar things happened here. > > Check your cron jobs and the log files - If this happens every sunday, it's > probably perfectly normal. I don't think that the mentioned updates have > triggered a service reload. > > Best regards > Holger > > > Am Montag 07 Juni 2010, 18:51:37 schrieb Andrew Green: > > Hi, > > > > I'm running an up-to-date Lenny server that serves some innocuous Web > > pages and is administered by remote ssh. On Friday, after reading > > DSA-2054-1, y did an update and dist-upgrade, which updated some > > packages, added some, and removed, I believe, some others, (I > > unfortunately did not make a detailed note of what happened. From the > > contents of my /var/cache/apt archive, it seems that packages that were > > either updated or newly installed are: bind9-host, dnsutils, libbind9, > > libisccc50, libisccfg50, liblwres50, libdns55 and libisc52.) > > > > A little over a day and a half later, I got a message from samhain (the > > host-based intrusion detection system I have installed) saying that its > > configuration had been reloaded. I noticed that at the same time, apache > > got a SIGUSR1 and did a graceful resetart. And according to the ps > > command, snort (network-based intrusion detection) was restarted at that > > time, too. I did nothing specifically to cause any of this. > > > > Is it possible that the restart/refresh of these services was caused in > > some way by the upgrade? Something to do with some a dns cache, or > > something like that? I'd be very surprised to find the machine had been > > compromised, since it was completely up-to-date, does not allow > > password-based ssh logins, has no other user accounts, is locked in a > > room to which only two people have a key, runs minimal services, and is > > surrounded by Windows machines that I assume are much more vulnerable. > > And everything seems to be running normally now. But if I can't find an > > explanation for these service refreshes, then I guess I'll have to treat > > it as compromised. > > > > Any ideas about what may have happened would be greatly appreciated. > > Also, I hope this is the right place to post this question; if not, > > please do let me know. Many thanks in advance, greetings, > > Andrew > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
