manojoswal
asked on
Server stopped working all of the sudden, possible attack?
Hello All,
We have a server running with RHE 3, Apache, Php, Mysql and Bind. It's our main production server.
Now the problem we faced day before was something very weird. All of the sudden all the services on the server stopped responding, we couldn't ssh into the server, we couldn't see the sites, couldn't fetch mails and so on.
We could ping the server though, ping was going fine, but we just couldn't access the server in any way.
Now the question I would like to ask you guys is, if such problem occurs again, how to trace it. I tried to check /var/log/messages but all I found were portsentry's messages.
If we were under attack, or if the server was hacked, how do we trace it? Are there any guidelines or links through which we can possibly know what cause our server to respond all of the sudden?
Thanks in Advance.
We have a server running with RHE 3, Apache, Php, Mysql and Bind. It's our main production server.
Now the problem we faced day before was something very weird. All of the sudden all the services on the server stopped responding, we couldn't ssh into the server, we couldn't see the sites, couldn't fetch mails and so on.
We could ping the server though, ping was going fine, but we just couldn't access the server in any way.
Now the question I would like to ask you guys is, if such problem occurs again, how to trace it. I tried to check /var/log/messages but all I found were portsentry's messages.
If we were under attack, or if the server was hacked, how do we trace it? Are there any guidelines or links through which we can possibly know what cause our server to respond all of the sudden?
Thanks in Advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1. We then got the server rebooted, since then its running fine.
2. We keep a good vigil on it, till the moment it stopped responding, we had adequate memory and CPU free. (its a dual xeon with 1 gb ram, SCSI and RAID) so the process that caused it was a sudden one.
3. There are no signs of DDOS or DOS.
4. We need to know exactly how we could go about finding the cause of this failure. What logs, what we should look for in it.
5. We have trip wire, it shows really nothing serious.
are there some links or guidlines somewhere that will guide us to track activity and find all possible traces of the cause of the problem.
regards
manoj
2. We keep a good vigil on it, till the moment it stopped responding, we had adequate memory and CPU free. (its a dual xeon with 1 gb ram, SCSI and RAID) so the process that caused it was a sudden one.
3. There are no signs of DDOS or DOS.
4. We need to know exactly how we could go about finding the cause of this failure. What logs, what we should look for in it.
5. We have trip wire, it shows really nothing serious.
are there some links or guidlines somewhere that will guide us to track activity and find all possible traces of the cause of the problem.
regards
manoj
ASKER
we need to report to the client the cause of this failure, any guidelines or papers on the net that have clues to foresnic analsysis of an attack.
regards
manoj oswal
regards
manoj oswal
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Was the console still responsive? From the console could you initiate a network connection out to some other box (e.g., ssh some-local-host)? What was the load average on the box?
Is the server up to date (as in running up2date and allowing it to update the kernel)?