Last weekend we have a misterious breakdown of one of our servers... It is one a leased line, fix ip, UPS. There was no powerouts.
It has qmail, wu_ftpd, apache, sshd1, telnetd on it. It has all the patches on security.debian.org. DNS is 8.2.2p5-1 compiled by me from the potato source. Kernel is 2.0.37 with UDMA66 patch for PROMISE Ultra-ATA 66 controller which is on the kernel mirror. (the 2.0.38pre patch cannot be applied to the 2.0.38 kernel, and I don't know how to contact the author.) And I don't want to update the kernel to 2.2 because I don't know whether the RAID 1 array created with 2.0 kernel can be used with 2.2 kernel. Anyway, Saturday evening I was logged in on the server and it was up and running. Sunday I could not log in on the server. The only port open on it under port address 4000 was DNS. The next day the server was restarted manually. A whole day is missing from the syslog. The last message before the gap is: Dec 12 00:08:11 <servername> exiting on signal 15 the following entry is: Dec 13 10:34:18 <servername> syslogd 1.3-3#31: restart. What could this be? Is it possible that this is the result of a Denial-of-Service attack, or is it sure that someone broke in? Robert Varga
