Re: Some services refreshed after upgrade following DSA-2054-1?

To: debian-security@lists.debian.org
Subject: Re: Some services refreshed after upgrade following DSA-2054-1?
From: Holger Schletz <holger.schletz@web.de>
Date: Mon, 7 Jun 2010 19:48:59 +0200
Message-id: <201006071948.59625.holger.schletz@web.de>
In-reply-to: <1275929497.15999.22.camel@debian3.institutomora.edu.mx>
References: <1275929497.15999.22.camel@debian3.institutomora.edu.mx>

Hi,

a default installation of apache on debian causes a reload every sunday as 
part of the log rotation. See /etc/logrotate.d/apache2. This behavior matches 
your description.

I'm not familiar with the other services you mentioned, but I wouldn't be 
surprised if similar things happened here.

Check your cron jobs and the log files - If this happens every sunday, it's 
probably perfectly normal. I don't think that the mentioned updates have 
triggered a service reload.

Best regards
Holger


Am Montag 07 Juni 2010, 18:51:37 schrieb Andrew Green:
> Hi,
> 
> I'm running an up-to-date Lenny server that serves some innocuous Web
> pages and is administered by remote ssh. On Friday, after reading
> DSA-2054-1, y did an update and dist-upgrade, which updated some
> packages, added some, and removed, I believe, some others, (I
> unfortunately did not make a detailed note of what happened. From the
> contents of my /var/cache/apt archive, it seems that packages that were
> either updated or newly installed are: bind9-host, dnsutils, libbind9,
> libisccc50, libisccfg50, liblwres50, libdns55 and libisc52.)
> 
> A little over a day and a half later, I got a message from samhain (the
> host-based intrusion detection system I have installed) saying that its
> configuration had been reloaded. I noticed that at the same time, apache
> got a SIGUSR1 and did a graceful resetart. And according to the ps
> command, snort (network-based intrusion detection) was restarted at that
> time, too. I did nothing specifically to cause any of this.
> 
> Is it possible that the restart/refresh of these services was caused in
> some way by the upgrade? Something to do with some a dns cache, or
> something like that? I'd be very surprised to find the machine had been
> compromised, since it was completely up-to-date, does not allow
> password-based ssh logins, has no other user accounts, is locked in a
> room to which only two people have a key, runs minimal services, and is
> surrounded by Windows machines that I assume are much more vulnerable.
> And everything seems to be running normally now. But if I can't find an
> explanation for these service refreshes, then I guess I'll have to treat
> it as compromised.
> 
> Any ideas about what may have happened would be greatly appreciated.
> Also, I hope this is the right place to post this question; if not,
> please do let me know. Many thanks in advance, greetings,
> Andrew

Reply to:

Follow-Ups:
- Re: Some services refreshed after upgrade following DSA-2054-1?
  - From: Andrew Green <andrew.green.df@gmail.com>

References:
- Some services refreshed after upgrade following DSA-2054-1?
  - From: Andrew Green <andrew.green.df@gmail.com>

Prev by Date: Some services refreshed after upgrade following DSA-2054-1?
Next by Date: Re: Some services refreshed after upgrade following DSA-2054-1?
Previous by thread: Some services refreshed after upgrade following DSA-2054-1?
Next by thread: Re: Some services refreshed after upgrade following DSA-2054-1?
Index(es):
- Date
- Thread