possible break-in

To: debian-user@lists.debian.org
Subject: possible break-in
From: Robert Varga <robi@piros.zold.net>
Date: Fri, 17 Dec 1999 18:15:52 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.991217173722.24450B-100000@piros.zold.net>

Last weekend we have a misterious breakdown of one of our servers...

It is one a leased line, fix ip, UPS. There was no powerouts.

It has qmail, wu_ftpd, apache, sshd1, telnetd on it. It has all the
patches on security.debian.org. DNS is 8.2.2p5-1 compiled by me from the
potato source.

Kernel is 2.0.37 with UDMA66 patch for PROMISE Ultra-ATA 66 controller
which is on the kernel mirror. (the 2.0.38pre patch cannot be applied to
the 2.0.38 kernel, and I don't know how to contact the author.) And I
don't want to update the kernel to 2.2 because I don't know whether the
RAID 1 array created with 2.0 kernel can be used with 2.2 kernel.

Anyway, Saturday evening I was logged in on the server and it was up and
running.

Sunday I could not log in on the server. The only port open on it under
port address 4000 was DNS. The next day the server was restarted manually.

A whole day is missing from the syslog. The last message before the gap
is:

Dec 12 00:08:11 <servername> exiting on signal 15

the following entry is:

Dec 13 10:34:18 <servername> syslogd 1.3-3#31: restart.

What could this be? Is it possible that this is the result of a
Denial-of-Service attack, or is it sure that someone broke in?

Robert Varga

Reply to:

Follow-Ups:
- Re: possible break-in
  - From: Onno <Onno@Willem.Alexanderschool.nl>

Prev by Date: Is there a AWT package for Debian?
Next by Date: Re: Is there a AWT package for Debian?
Previous by thread: RE: Is there a AWT package for Debian?
Next by thread: Re: possible break-in
Index(es):
- Date
- Thread