[Ubuntu-PH] Ubuntu Dapper machine behaved like it crashed, but logs say that cron scripts still ran while it was "down".

Aldous D. Penaranda aldous at penaranda.name
Mon Mar 26 08:10:32 UTC 2007


We're running an up-to-date Dapper machine and here's what
/var/log/messages says

Mar 22 21:54:48 myhostname -- MARK --
Mar 22 22:14:48 myhostname -- MARK --
Mar 22 22:25:59 myhostname kernel: [47037780.820000] ip_tables: (C)
2000-2002 Netfilter core team
Mar 22 22:55:30 myhostname -- MARK --
Mar 23 03:58:48 myhostname syslogd 1.4.1#17ubuntu7: restart.

We noticed that the machine was "down" around 10:50 PM. We tried to
ping, ssh and access httpd but failed. We just thought it was a
network issue on our provider's side.

After a couple of hours, one of us tried accessing it from another
location/route and was able to ping the machine. I tried logging in to
my other server and then pinging from there worked. ssh didn't work,
but telnet to port 22 gave me the SSH banner.

What could be the possible reason why the machine stopped logging "--
MARK --" to /var/log/messages but cronjobs still continued to run
during the downtime (11PM until the 4AM reboot)? Is the kernel
ip_tables log entry relevant?

We were told that our server was compromised as it tried to contact
some hosts via FTP. I tried running chkrootkit and rkhunter but I
didn't find anything suspicious. Could it have just been an attempt to
exploit a vulnerable PHP script?

Any hints/pointers would be very much appreciated.

-- 
aldous at penaranda.name
http://aldous.penaranda.name/
GPG: 0xD6655C18




More information about the ubuntu-ph mailing list