[ale] remote investigation
Dow Hurst
dhurst at kennesaw.edu
Tue Sep 2 13:59:16 EDT 2003
I was reading the responses and started thinking that if you were
compromised then your netstat and other system analysis binaries would
be compromised. Do you have another machine on the same LAN that can be
used to watch this server? If your still root, then stop the services
you expect to have traffic and watch the machines input and output. You
really can't trust what is on the server until you check your binaries
from known good media such as a CD. It is always alot of work to go
thru the process your going thru. You know, you can always use Bob's
checklist in Real World Linux Security to work thru checking your
machine. Unfortunately, there isn't an easy path separate from booting
from known good media. If you have a tripwire database or current tar
archive burned on a tomsrootboot CD then your golden. Hard to keep up
with though if your running constant patching.
Bob setup one SGI with a reasonably hardened IRIX setup using the
guidelines in his book and the IRIX firewall ipfilterd for a web server
running Apache. I've got a tripwire database on tape and a tape backup
of the known good state. If I get signals that the machine is
compromised, I can take it down and run from the miniroot off the IRIX
boot CD the tripwire check. Still means I am down until done.
Dow
John Wells wrote:
>Guys,
>
>Came back from the Labor Day holiday and my mail server/web server is acting
>rather odd.
>
>Services respond rather slowly, and sometimes not at all. When services
>stop responding, I can still hit the router, so I know it has to be the
>server itself.
>
>I'm currently logged in remotely and everything seems good, if not slow, but
>I expect it to freeze soon (it has a few times in the last hour or so).
>When it freezes, I can usually get a response after about 20 minutes or so.
>
>The odd thing is, when services do "freeze" up, I can still telnet to a port
>on the machine, like 25 for smtp, and get a connection. However, the SMTP
>server fails to respond and I just sit there.
>
>I guess I'm kind of at a loss as to what sort of investigation I can do
>remotely. I suppose the best way to see what's going on is to attempt to
>repeat the problem from home with a monitor connected and to see if it's
>actually doing anything during these timeouts, but I'd like to come home
>armed with any equipment that might be required.
>
>Anyone had a similar experience in the past? Does this sound like a
>possible bad NIC/harddrive/etc? My first thought was that the box may have
>been compromised, but it'd be a wierd attack to let someone in every few
>minutes or so. Netstat doesn't show anything unusual going on when I'm in,
>at least.
>
>Any tests I could run against NIC/harddrive/etc to check for malfunctioning
>hardware?
>
>Thanks for humoring the grasping at straws. I'm frustrated, and clear
>thought is not currently an option... ;-)
>
>John
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
>
--
__________________________________________________________
Dow Hurst Office: 770-499-3428 *
Systems Support Specialist Fax: 770-423-6744 *
1000 Chastain Rd. Bldg. 12 *
Chemistry Department SC428 Email: dhurst at kennesaw.edu *
Kennesaw State University Dow.Hurst at mindspring.com *
Kennesaw, GA 30144 *
*****************************************************************
This message (including any attachments) contains confidential *
information intended for a specific individual and purpose, *
and is protected by law. If you are not the intended recipient,*
you should delete this message and are hereby notified that *
any disclosure, copying, or distribution of this message, or *
the taking of any action based on it, is strictly prohibited. *
*****************************************************************
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list