Re: [vox] What happens internally to Linux when it is in password limbo?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox] What happens internally to Linux when it is in password limbo?
I'd say your in big trouble... and the password is the
least of your troubles.
Your top output shows only 3% idle but 0 for user and
system... your missing 97% of your cpu utilization. I've
not experienced it, but they say that when a box is
hacked with a root kit they can replace some of your
binaries to hide thier activities. Specifically I've
seen 'ps' and 'top' listed as those replaced.
Theoretically, somebody can log in, replace top with a
program that will show everything but their application,
then wipe out the entries in the logs that show when
they logged in (including any give aways
in /var/log/messages which is the default syslog for RH
6.1).
I'd say pull the network cable and don't plug it back in
untill the system has been rebuilt. I'd grab my most
important config files (probably sendmail.cf since this
seems to be your e-mail server) and then comb through
them very carefully before using again.
Also, RH 6.1 is a very old distro with many problems.
I'd suggest at least moving up to RH 7.1 if you wanted
to stay with RH, but for pure server builds I've
switched to debian.
But no matter what you do, please pull the plug soon. No
telling what that box is being used for without your
knowledge. And I'd bet good money that it's being used
for something that you don't know about.
"Of course that's just my opinion, I could be wrong"
-Doug
> The sendmail on a 200MHz recently slowed to a crawl on a Red Hat 6.1
> system. Authorization took up to 3 minutes on machines running Outlook
> Express. The day after I changed the root password from an easily guessable
> password, the machine had all the speed you could hope for. But since I
> have not yet restarted any of the services or rebooted, the old password
> still works even though through linuxconf the password has been changed.
> Does this make any sense to anyone? There is nothing too suspicious in the
> access logs, mainly just some failed anonymous FTP access. Running top used
> to show less than 1k of memory free and around 56 processes sleeping, 1
> running. This is what it shows now:
>
> 10:57am up 4 days, 2:34, 1 user, load average: 0.00, 0.00, 0.00
> 57 processes: 56 sleeping, 1 running, 0 zombie, 0 stopped
> CPU states: 0.0% user, 0.0% system, 0.0% nice, 3.0% idle
> Mem: 63124K av, 57252K used, 5872K free, 35124K shrd, 18276K buff
> Swap: 157208K av, 0K used, 157208K free 22416K cached
>
> PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND
> 10697 dpwebste 18 0 1020 1020 816 R 0 4.7 1.6 0:00 top
> 1 root 0 0 460 460 388 S 0 0.0 0.7 0:03 init
> 2 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kflushd
> 3 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kupdate
> 4 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kpiod
> 5 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kswapd
> 6 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00
> mdrecoveryd
> 99 root 0 0 44 44 20 S 0 0.0 0.0 0:00 mingetty
> 358 bin 0 0 476 476 388 S 0 0.0 0.7 0:00 portmap
> 374 root 0 0 464 464 396 S 0 0.0 0.7 0:00 apmd
> 427 root 0 0 528 528 428 S 0 0.0 0.8 0:03 syslogd
> 438 root 0 0 752 752 388 S 0 0.0 1.1 0:00 klogd
> 454 daemon 0 0 484 484 404 S 0 0.0 0.7 0:00 atd
> 470 root 0 0 600 600 504 S 0 0.0 0.9 0:00 crond
> 490 root 0 0 484 484 408 S 0 0.0 0.7 0:00 inetd
> 506 root 0 0 488 488 408 S 0 0.0 0.7 0:00 lpd
>
> I would be curious to hear from anyone with theories, or if you could
> recommend a book that goes into great depth into the innerworkings of Linux
> I would appreciate it.
>
> Danny
>
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox
|
