[TriLUG] Server Oddness

[Jason Tower]

on many systems 4:02 is when the cron.daily jobs are run, so it may be 
the case that one of the cron jobs did something that resulted in a 
crash/panic/oops.

netstat -anp will show you all open ports and the name of the process 
that owns it.  grep for the port number in /etc/services or google for 
it if you don't recognize any.

jason

On Friday 02 July 2004 09:34, Jason Purdy wrote:
> When I came into work today, our (Debian Woody) mail server wasn't
> responding (my previous SSH connection was 'hung' and IMAP/POP
> connections wouldn't work and pings were not responsive, either) and
> I went to the console and plugged in a monitor and it was a black
> screen (hitting the space bar or enter key didn't do anything).
>
> So I had to hit the server's reset key (ugh) ... about 15 minutes
> later after the auto fsck, everything looks ok.
>
> This is a publicly available server, so my main concern is that
> someone has r00ted me.  I have been keeping up to date on security
> patches that Debian puts out.
>
> I waded through logs (nothing suspicious, though there were several
> attempts to do one of those "/SEARCH [long uri]" in its apache
> access.log -- it was one of the last entries).  In /var/log/messages,
> I get a MARK every 20 minutes ... there's a big gap between the last
> mark at 3:56am and when I restarted the server at 8:46.  In the
> mail.log file, the gap starts at 4:08, so that's when I think
> something happened (I have a co-worker that POP's his mail every
> minute ;)).
>
> I also ran a 'chkrootkit', but that didn't turn anything up.
>
> I did a netstat -atu and there are a couple of entries there that I
> don't know about:
> tcp 0 0 *:32768 *:* LISTEN
> udp 0 0 *:821 *:*
> udp 0 0 *:1111 *:*
>
> Is there any way to see what process is tied to those ports?
>
> Can anyone point me in a direction to figure out what happened? 
> Random hardware glitch or something else?
>
> Thanks,
>
> Jason