[Cialug] Suspicious Server

Josh More morej at alliancetechnologies.net
Thu Oct 11 09:47:00 CDT 2007


A problem process could lock up ps and, by extension, chkroot.  A reboot
would certainly clear this.

Depending on the data on this server, you need to first decide if you
wish to prosecute should it be compromised.  If so, either contact your
lawyer about proper evidentiary  procedure or get yourself a security
consultant.  If not, pull the box of the net and give it a reboot.  Go
into "emergency" mode and run both chkrootkit and rkhunter.  Then,
reboot into init 3 and run them both again.  If they catch anything, you
know your problem.  If they don't, you're likely dealing with corruption
or neutrinos.

To track corruption, first get the latest http://www.memtest.org/ and
test that RAM.  If that passes, go back to emergency mode and run an
fsck on each volume.  Once you know your RAM and disks are good, you can
run an integrity test against the RPM database.  I assume you can do
similar with DEB, portage, etc.

If your disks and RAM are good, your packages check out, and you are
reasonably certain that you don't have a rootkit, you can either blame
neutrinos or rebuild the box.  Your business use will determine that.


 

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701



>>> "Jonathan C. Bailey" <jbailey at co.marshall.ia.us> 10/11/07 9:22 AM
>>> 
I've got a server that was acting a bit suspicious... I could SSH to it
and navigate through files (ls/cd/cat/tail) without any issue, but if I
tried to run a utility like ps/w/kill/chkrootkit, the SSH session would
just hang. I rebooted the box and all seems to be fine and chkrootkit
doesn't show anything out of place. The other utilities work as normal.
This machine only has port 22 open to the world and only allows public
key auth to it. Any thoughts on if this is truly suspicious, or is there
something else that could cause these commands to just hang?


-Jon

_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug



More information about the Cialug mailing list