Quoting Pira, Joel G. ([EMAIL PROTECTED]): > This morning, my Linux box was acting weird. I can't connect to squid, > so I tried to log on using SSH. SSH was refused, but I kept on trying > and suddenly I was able to log on for a while. After a few seconds > while trying to figure out what was happening, I got a read error and > automatically log out by the system. Intermittently, I can connect for > 2 or 3 seconds. I was running portsentry, sshd, squid, apache and > postfix on a Mandrake Linux 6.2 (needs updating).
Hello, Joel. As some others have noted, old, non-updated releases of Linux-Mandrake would be very suspect for breakins, which can cause unreliable behaviour such as you describe. You may want to visit the physical console and examine the system. In fact, for a variety of reasons, you may want to shut down the system for maintenance, remove its hard drive, mount it as the secondary hard drive on a different Linux system, make an immediate backup copy, and then examine the system's contents, there. First thing you'll want to look at is the log files, notably /var/log/messages . (Obviously, I don't mean the /var/log/messages of the system where you put your hard drive for backup and scrutiny.) A competent intruder will be difficult to spot, but a clumsy one will often erase all logs or stop the logging daemons, to conceal his activity. You may wish to check installed RPMs' MD5 checksums against stored values in the RPM database (bearing in mind that a competent intruder would have updated the stored values to match his changes, for which reason a prudent admin stores off-site copies of /var/lib/rpm/*, occasionally). You may want to spend some amount of time looking around the system for signs of break-in (such as directories with weird names like "..." or ".. ", depending on your patience and level of interest. Afterwards, you'll want to do a clean reinstall. It would be unwise to re-use any of the former system's executables (scripts or binaries), nor its configurations or dotfiles -- though you may wish to keep copies of those files around as you recreate the prior machine state, manually. Some resources that may be relevant: http://www.auscert.org.au/ http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html http://www.auscert.org.au/Information/Auscert_info/Papers/usc20.html http://www.auscert.org.au/Information/Auscert_info/Papers/usc20_essentials.html Of course, it's conceivable that the cause is _not_ an intruder, but rather either a severe hardware problem or some highly aberrant software state. Examining the logfiles should help you determine if that is so. Good luck to you. -- Cheers, "Why is the alphabet in that order? Is it because of that song?" Rick Moen -- Steven Wright [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
