[TriLUG] Server Oddness

Jason Purdy jason at journalistic.com
Fri Jul 2 09:34:48 EDT 2004


When I came into work today, our (Debian Woody) mail server wasn't 
responding (my previous SSH connection was 'hung' and IMAP/POP 
connections wouldn't work and pings were not responsive, either) and I 
went to the console and plugged in a monitor and it was a black screen 
(hitting the space bar or enter key didn't do anything).

So I had to hit the server's reset key (ugh) ... about 15 minutes later 
after the auto fsck, everything looks ok.

This is a publicly available server, so my main concern is that someone 
has r00ted me.  I have been keeping up to date on security patches that 
Debian puts out.

I waded through logs (nothing suspicious, though there were several 
attempts to do one of those "/SEARCH [long uri]" in its apache 
access.log -- it was one of the last entries).  In /var/log/messages, I 
get a MARK every 20 minutes ... there's a big gap between the last mark 
at 3:56am and when I restarted the server at 8:46.  In the mail.log 
file, the gap starts at 4:08, so that's when I think something happened 
(I have a co-worker that POP's his mail every minute ;)).

I also ran a 'chkrootkit', but that didn't turn anything up.

I did a netstat -atu and there are a couple of entries there that I 
don't know about:
tcp 0 0 *:32768 *:* LISTEN
udp 0 0 *:821 *:*
udp 0 0 *:1111 *:*

Is there any way to see what process is tied to those ports?

Can anyone point me in a direction to figure out what happened?  Random 
hardware glitch or something else?

Thanks,

Jason



More information about the TriLUG mailing list