From: Donncha O Caoimh (donncha.ocaoimh at domain tradesignals.com)
Date: Tue 06 Apr 1999 - 10:53:32 IST
Something unusual happened on Friday morning:
Our Linux server in Dublin crashed. I was of course very pi.. ahem,
upset, especially having to work on Good Friday. Anyway, at the time we
thought it crashed. Once it was rebooted by Esat a few hours later I
looked at /var/log/messages and found:
Apr 2 09:27:21 beta init: Switching to runlevel: 0
Apr 2 09:27:23 beta syslogd: exiting on signal 15
There was no sign that anyone logged in, but the log would suggest that
someone ran "shutdown 0 -h" as root. The Esat guy who restarted the
machine told me he saw text saying that the web server had stopped (so
it was probably the usual halt sequence he saw) Nothing was different
from the day before except a shell script I wrote to "tar" the database
directory which ran at 8:30 that morning and would have only taken a few
seconds to run..
I'm assuming now that the machine was compromised on Friday somehow.
I have to admit I don't use SSH to login there. :(
Any suggestions would be welcome.
Donncha.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:06 GMT