Start up script permissions automatically changed..
 

Hi friends,
One of our client was complaining that their server was down and mysql and apache services were down. The server is Ubuntu 8.04. When we checked, the permissions of /etc/init.d/mysql and /etc/init.d/apache2 were changed to 644 from 755. How could this be possible?

I need your valuable suggestions on how can i monitor whether any malicious intrusions or scripts are running.

Thanks a lot.

In short you'll want to read the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html first.
Save all process, network, user data: '( ps axfwwwwe; lsof -Pwn; netstat -anpe; last; lastb; lastlog; w; who; history ) > /dev/shm/file' and copy the file off site. Copy all logs (usually from /var: see /etc/syslog.conf or equivalent and 'sudo lsof -Pwn +D/var|awk '{print $NF}'|sort -u') and all user shell history files to a different machine and run Logwatch (with the "--detail High --archives --numeric --hostlimit [hostname] --range All" switches and don't forget to set "--logdir") on the logs. Make a list of tasks from the Intruder Detection Checklist and perform them.
If the report plus output of the checklist yields leads you don't know how to handle feel free to post shell history and log excerpts.

Well start with looking at the output of ps -aux and then also check your cron jobs, and look at your logs, use a log analyzer if you need to. YOu could also try scanning with clamAV, and maybe a commercial AV, maybe like Kaspersky, I don't know if they offer free scanning for linux from their website but it may be worth a try.