Something unusual happened on Friday morning:
Our Linux server in Dublin crashed. I was of course very pi.. ahem,
upset, especially having to work on Good Friday. Anyway, at the time we
thought it crashed. Once it was rebooted by Esat a few hours later I
looked at /var/log/messages and found:
Apr 2 09:27:21 beta init: Switching to runlevel: 0
Apr 2 09:27:23 beta syslogd: exiting on signal 15
There was no sign that anyone logged in, but the log would suggest that
someone ran "shutdown 0 -h" as root. The Esat guy who restarted the
machine told me he saw text saying that the web server had stopped (so
it was probably the usual halt sequence he saw) Nothing was different
from the day before except a shell script I wrote to "tar" the database
directory which ran at 8:30 that morning and would have only taken a few
seconds to run..
I'm assuming now that the machine was compromised on Friday somehow.
I have to admit I don't use SSH to login there. :(
Any suggestions would be welcome.
Donncha.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
