Help detecting possible intrusion
Hello.
Today I found one of my servers (Woody on an uml kernel) was down.
It's in another country, but I can admin it remotely. I rebooted it
(uml lets you do that), and found a couple of strange things.
- AIDE tells me all /dev and some tty devices were created right
before the server crashed:
Example:
changed:/dev
changed:/dev/ttyp0
changed:/dev/ttyp1
changed:/dev/ttyp2
changed:/dev/ttyp3
changed:/dev/ttyp4
changed:/dev/ttyp5
changed:/dev/ttyp6
changed:/dev/ttyp7
...
Directory: /dev
Ctime : 2003-09-01 16:48:44 , 2003-09-25 18:53:30
File: /dev/ttyy3
Ctime : 2003-09-01 16:48:42 , 2003-09-25 18:53:24
What does that mean?
- We run bsd-ftpd, and I "last" tells me:
ftp ftp xxxxxxxxxxxxxxxx Thu Sep 25 18:57 - 18:57 (00:00)
ftp ftp xxxxxxxxxxxxxxxx Thu Sep 25 18:57 - 18:57 (00:00)
This was right after reboot (if not during it). But the ftpd logs say
nothing about this guy. Does bsd-ftpd only log transferred files, or
does it also log logins?
There was nothing in kern.log and syslog showing why it crashed. The
company hosting this says their UPS and backup generators would hold
the system up and running in case of a power outage...
chkrootkit finds nothing strange (I rsync'ed a new version to the server,
didn't trust the one there).
Does that sound too bad? I'm particularly worried about the /dev/
ctimes changed before the crash.
Any ideas?
Thanks!
J.
Reply to: