Re: Weird server mystery: self-reset, mostly

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Tue, 25 Jan 2011, will trillich wrote:
> In kern.log there's only
> Jan 23 23:04:59 darth kernel: [64084756.601774] exploit[25161]: segfault at
> 10c00b ip 00000000 sp deadc01d error 6
> Jan 23 23:05:08 darth kernel: [64084765.528734] NET: Registered protocol
> family 5

There is no mistery.  Your system has been compromised.  Get post-mortem
backups done for forensic purposes, wipe the box, and proceed to a full
reinstall.

Kindly don't leave that thing connected to the network for now, as it is
likely being used as a botnet C&C node, or as an attack platform.

Based on the uptime and "debian_version" data you provided, whomever
takes care of that system has been very negligent with security updates.
It is no wonder it got rooted.  Let that be a lesson for the future.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh