Thus spake Gleb Arshinov (gleb@barsook.com): > /etc/passwd seems intact Have a look at /etc/shadow. I'm not sure if password changes touch /etc/passwd if you're using shadow passwords. Just a thought. > So, what could have caused ssh/telnet to hang like this while ftp > worked fine? Check your local messages log and the remote one using the shell that you already have while you attempt a login. > What else should I check for break-in signs? Do you have debsums? I believe this will check the MD5 sums of your packages. I've only played around with it, so I'm not positive. > PS I'll include current ps aux: As a rule, especially on a colo box that's gonna sit by itself from time to time without you on it, you should take away all services and add what you need. A firewall would be good too. > root 169 0.0 0.5 1148 644 ? S 08:23 0:00 /sbin/rpc.statd Do you use NFS? If not, get rid of this. > root 193 0.0 0.4 1300 552 ? S 08:23 0:00 /usr/sbin/inetd I assume you use this for telnet and FTP. Make sure other services are commented out in /etc/inetd.conf. > root 201 0.0 0.4 1352 560 ? S 08:23 0:00 /usr/sbin/lpd Do you print from this machine? If not, get rid of this. > nobody 256 0.0 2.0 3616 2596 ? S 08:23 0:00 /usr/bin/X11/xfs-xtt -user nobody Don't really need font serving on a colo box. > root 260 0.0 1.2 1556 1548 ? SL 08:23 0:00 /usr/sbin/ntpd Do you use this? I think it's for time synchronization serving, though it might be a client. Maybe try rdate if you just need a client. > daemon 265 0.0 0.4 1140 544 ? S 08:23 0:00 /usr/sbin/atd If you don't use this, get rid of it. Malicious users can schedule tasks for when they're not logged in. Just a couple thoughts on ways to tighten things. -- Justin R. Miller <incanus@codesorcery.net> PGP/GnuPG Key ID 0xC9C40C31 (preferred)
Attachment:
pgphuTgXr03E_.pgp
Description: PGP signature