LinuxSA Mailing list archives

  From: Andreja Zivkovic <andy@zt.zivkotech.net.au>
  To  : linuxsa@linuxsa.org.au
  Date: Sat, 15 Apr 2000 23:28:08 +0930

What could have happened to my machine?

Hi,

First off, sorry if this e-mails long, but I don't know what info is
relevent to the problem :(

I just had something very strange to my linux box. It's up 24/7, as it's
hosting a permanent internet connection, and all services needed to host a
domain and serve a LAN. It's not a particulatly powerful machine and not a
lot of RAM (especially for how many services run at the same time), but it's
been working for over 12 months, and I've never had a serious problem
before.

To be more specific, the machine is a Pentium 133, 16meg of RAM. The machine
was originally installed with RedHat 6.0, but once I got the RedHat 6.1 CD,
I upgraded most packages (manually), although there would be some RedHat 6.0
packages there. I definatly upgraded glibc, squid, apache, and all other
programs which serve some service.

Anyway, the machine was working fine, successfully serving e-mail by a POP3
server, and squid was getting and transmitting web pages (this is the most
common thing my box does). I stopped accessing the 'net for a few hours, so
the machine would have been idle, then my mum tried to get her e-mail.
Outlook Express claimed the POP server responded with something like "unable
to load or load sharded file /lib/libnsl.so.1". I can't remember exactly
what it said, or what evectly the file was, and I didn't write it down,
since I thought just re-installing an rpm would work.

So, I then tried to telnet in, but the server's only output was
"in.telnetd", then it closed the connection. I then went to the machine, and
tried to log in at the keyboard. I typed in my user name, then pressed
enter, then the screen cleared, and the login prompt came back. This would
continouslly happen every time I entered anything at the "use name:" prompt.

I then tried a ctrl-alt-del, and it immediatly went to the stage of shutdown
that normally happens once init has stopped all the services in
/etc/rc.d/init.d (it says something like "sending all processes a ?????
signal". I can't remember in which order it normally says it, but it said
the first AND second ones). It didn't, however, show each program being shut
down, with or without a [success] or [failed] at the edge of the screen. It
then froze there, and I had to press the reset button.

when the machine started normally, and apart for doing a fsck, everything
was perfectly normal. Once the startup scripts finished, everything worked
normally. Logging in, telnetting in, getting e-mail, squid's proxying, etc.
I had a look through /var/log/message and /var/log/secure, but there was
nothing out of the ordinary.

well, that's it. I have no idea what could have happened or what to do (to
stop this happening again). My only two guesses are that the software or
hardware has some strange, once-off error, which caused everything to stuff
up. My only other guess is that someone 'hacked' the box. All my files seem
to be still there, all services seem to work, my web site is still the same,
so if the box was hacked, all they did was cause to server to stop
responding properly.

If anyone has any ideas, please suggest them. I've never had a serious
problem before. I've been port scanned many times before (who hasn't?), but
otherwise I don't know of being security being comprimised in any way.

Thanks,
Andy

PS. Again, sorry that it's so long. I certainly hope I havn't forgotten to
give any information that many actually be useful :)

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject