----- Original Message -----
> >> I've got a server down - the symptoms were that all name related
> >services stopped - I've not installed any software lately, in-fact,
> >nothing since 1st of Feb, and there have been reboots since then.
> >>
> >> On the server, mail isn't working, DNS is not starting up, the
> >machine is also running VERY slow, and it was running wild with
memory
> >earlier - ie, it used all physical RAM and about 10% of swap - my
> >hosting company said that I needed more ram, which I knew to be
false,
> >but to keep them quiet I got them to install 128Mb of extra ram in
the
> >spare slot - no difference!
> >>
> >> Later today, the box went competely nuts again, and used all
192Mb
> >of physical RAM and again, about 10% of available swap.
> >>
> >> Now I have a box that won't start mail or named on startup, or
from
> >the shell, plus about 60 hosting clients on the box, all on IP
> >hosting, and none of their sites can be seen - HELP!!!!
> >>
> >------------------reply-----------------------
> >When this happened to our raq3, it was due to us being hacked into.
> >They got in through the BIND exploit. I am not sure the exact fix,
> >because tech support was supplied by the company we lease our
server
> >from. You could run some checks on your package files. I don't have
> >the exact commands here, they are at the office. If you still need
> >help with this, let me know, and I can grab my docs. Hope this
helps.
>
>
>
> Bind was udated to the latest version on the 1st of Feb - I would be
interested in knowing the exact symptoms, and of course the remedy!
>
> thanks
>
> Greg
>
-----------------reply--------------------
As far as symptoms go, all of our DNS was down. sites could only be
reached with their IP #, and of course no virtual sites could be
reached, also about 50% of all the email accounts had to deleted and
re-setup when the server was fixed.
I don't know exactly which package files tech support reloaded, but I
do know that they used rpm to verify files. It is done in 2 steps,
first there is a set of switches to use with rpm that will tell you
which package a file belongs to, then you can use rpm again to run a
checksum verification between the file and the package it came from.
Any files that don't match need to be extracted from the package to
replace the affected ones. I am assuming an intermediate level of
skill on your part with this information. I can provide you with more
detailed instructions if you require it. You also want to check for
out of place scripts running in your crond or various cron
directories.
Hope this helps.
After replacing all the hacked files, you need to install all the
updates from cobalt.
--------------------------------------------------------------------
Cheers, Dave Reid (Night Rider)
Never engage in a battle of wits unarmed
--------------------------------------------------------------------
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users