Run a chkrootkit utility and it will tell you a lot of info. It won't tell you everything but it may give you a higher level of confidence that it was not hacked, or of course give you areas of concern if it does find something.
I agree, it looks suspicious at first glance. Some things look bad but aren't; for example it may come back and show a port open in the range of 32-thousand-something (32769?) - can't remember the exact one but further googling revealed that Fedora leaves one in that area open. When I ran it recently I was concerned about some things being open but I was happy to see that other than a very few other standard well known ports open for good reason, Fedora was pretty darn secure.
Chkrootkit will do a lot other than ports, however. Check out http://freshmeat.net/projects/chkrootkit/
Hope that helps some
Marc
On 4/13/05, Bob Brennan <rbrennan96@xxxxxxxxx> wrote:
On 4/13/05, Kristina Clair <kclair@xxxxxxxxx> wrote:
> On 4/13/05, Bob Brennan <rbrennan96@xxxxxxxxx> wrote:
> > On 4/13/05, Kristina Clair < kclair@xxxxxxxxx> wrote:
> > > Did you do a traceroute or any other network diagnostic to make sure
> > > that you were actually able to reach the server? It sounds like a
> > > networking problem...
> > >
> > > Kristina
> >
> > Hi Kristina - FTP and mailserver (the only other 2 open services) were
> > responding quickly and correctly throughout the outage - all running
> > on the same machine.
> >
>
> Hmmm. I was confused about this point:
> * all access_log and error_log for all sites - showed 5 users using
> the sites at the time but nothing unusual
>
> Did you mean that 5 users were using the sites right before it became
> inaccessible, or that there were people actually using the site when
> you couldn't reach it?
There were log entries on several of my virtual domains right up to
the minute that the webserver became unresponsive - at least 5
separate IP addresses at the time. I noticed the problem when
Squirrelmail timed out on a refresh. There are no log entries on any
of the sites for the next 20 minutes.
> Also, did you check all the domains that apache is configured to serve?
Yes I checked all domains, including the IP address itself. Even
"telnet myserver.net 80" would not connect. "telnet myserver.net 21"
and 25 responded as expected.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
