On Tue, 2005-12-20 at 22:51, Carl Keil wrote:
Les Mikesell wrote:I believe that my computer was broken into via webmin right before all this started happening(there was an unauthorized login as root from a church in town), but I couldn't find any signs of damage, other than my computer crashed the next day.
Chances are that parts of your system have been replaced, including versions of ls, ps, and netstat that keep you from seeing anything different. You might try the rootkit hunter http://www.rootkit.nl/projects/rootkit_hunter.html to see if it can identify anything, but the safest approach would be to reinstall from scratch.
I tried the rootkit hunter and it turned up absolutely no trace of a rootkit. I know this isn't definitive, but I think I'm going to cross my fingers and hope for the best. I've changed the root password, and now I turn webmin on via ssh when I need it and shut it down when I'm through. Thanks for suggesting this program. I'm beginning to suspect that the hacking and the crashing are just an odd coincidence.
Eric Harrison Wrote:
One thing that happens late at night are the jobs in /etc/cron.daily/ Some of these jobs can chew up a lot of memory. You might want to run memtest on this box to see if you have a bad stick of ram.
This was it! I ran memtest and it turned up 4000 errors on one stick of ram before it was even 30% through. I replaced that stick and I've 2 days of uptime since. Yay! Thank you very much.
Happy Holidays! ck