Re: Some services refreshed after upgrade following DSA-2054-1?

To: debian-security <debian-security@lists.debian.org>
Subject: Re: Some services refreshed after upgrade following DSA-2054-1?
From: Andrew Green <andrew.green.df@gmail.com>
Date: Mon, 07 Jun 2010 13:39:58 -0500
Message-id: <1275935998.15999.34.camel@debian3.institutomora.edu.mx>
In-reply-to: <201006071948.59625.holger.schletz@web.de>
References: <1275929497.15999.22.camel@debian3.institutomora.edu.mx> <201006071948.59625.holger.schletz@web.de>

Hi,

Thank you Holger--that was it! (Since I just installed samhain at the
beginning of last week, this past Sunday was first time I'd seen this
behaviour.)

Many thanks again, greetings,
Andrew


El lun, 07-06-2010 a las 19:48 +0200, Holger Schletz escribió:
> Hi,
> 
> a default installation of apache on debian causes a reload every sunday as 
> part of the log rotation. See /etc/logrotate.d/apache2. This behavior matches 
> your description.
> 
> I'm not familiar with the other services you mentioned, but I wouldn't be 
> surprised if similar things happened here.
> 
> Check your cron jobs and the log files - If this happens every sunday, it's 
> probably perfectly normal. I don't think that the mentioned updates have 
> triggered a service reload.
> 
> Best regards
> Holger
> 
> 
> Am Montag 07 Juni 2010, 18:51:37 schrieb Andrew Green:
> > Hi,
> > 
> > I'm running an up-to-date Lenny server that serves some innocuous Web
> > pages and is administered by remote ssh. On Friday, after reading
> > DSA-2054-1, y did an update and dist-upgrade, which updated some
> > packages, added some, and removed, I believe, some others, (I
> > unfortunately did not make a detailed note of what happened. From the
> > contents of my /var/cache/apt archive, it seems that packages that were
> > either updated or newly installed are: bind9-host, dnsutils, libbind9,
> > libisccc50, libisccfg50, liblwres50, libdns55 and libisc52.)
> > 
> > A little over a day and a half later, I got a message from samhain (the
> > host-based intrusion detection system I have installed) saying that its
> > configuration had been reloaded. I noticed that at the same time, apache
> > got a SIGUSR1 and did a graceful resetart. And according to the ps
> > command, snort (network-based intrusion detection) was restarted at that
> > time, too. I did nothing specifically to cause any of this.
> > 
> > Is it possible that the restart/refresh of these services was caused in
> > some way by the upgrade? Something to do with some a dns cache, or
> > something like that? I'd be very surprised to find the machine had been
> > compromised, since it was completely up-to-date, does not allow
> > password-based ssh logins, has no other user accounts, is locked in a
> > room to which only two people have a key, runs minimal services, and is
> > surrounded by Windows machines that I assume are much more vulnerable.
> > And everything seems to be running normally now. But if I can't find an
> > explanation for these service refreshes, then I guess I'll have to treat
> > it as compromised.
> > 
> > Any ideas about what may have happened would be greatly appreciated.
> > Also, I hope this is the right place to post this question; if not,
> > please do let me know. Many thanks in advance, greetings,
> > Andrew
> 
>

Reply to:

References:
- Some services refreshed after upgrade following DSA-2054-1?
  - From: Andrew Green <andrew.green.df@gmail.com>
- Re: Some services refreshed after upgrade following DSA-2054-1?
  - From: Holger Schletz <holger.schletz@web.de>

Prev by Date: Re: Some services refreshed after upgrade following DSA-2054-1?
Next by Date: Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning
Previous by thread: Re: Some services refreshed after upgrade following DSA-2054-1?
Next by thread: Re: [DSA 205x-1] ...
Index(es):
- Date
- Thread