LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-21-2010, 01:21 AM   #1
saagar
Member
 
Registered: Jul 2008
Location: Chennai, India
Distribution: RHEL5, Ubuntu
Posts: 191

Rep: Reputation: 37
Start up script permissions automatically changed..


Hi friends,
One of our client was complaining that their server was down and mysql and apache services were down. The server is Ubuntu 8.04. When we checked, the permissions of /etc/init.d/mysql and /etc/init.d/apache2 were changed to 644 from 755. How could this be possible?

I need your valuable suggestions on how can i monitor whether any malicious intrusions or scripts are running.

Thanks a lot.
 
Old 06-21-2010, 09:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
In short you'll want to read the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html first.
Save all process, network, user data: '( ps axfwwwwe; lsof -Pwn; netstat -anpe; last; lastb; lastlog; w; who; history ) > /dev/shm/file' and copy the file off site. Copy all logs (usually from /var: see /etc/syslog.conf or equivalent and 'sudo lsof -Pwn +D/var|awk '{print $NF}'|sort -u') and all user shell history files to a different machine and run Logwatch (with the "--detail High --archives --numeric --hostlimit [hostname] --range All" switches and don't forget to set "--logdir") on the logs. Make a list of tasks from the Intruder Detection Checklist and perform them.
If the report plus output of the checklist yields leads you don't know how to handle feel free to post shell history and log excerpts.
 
Old 06-21-2010, 10:49 AM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6-7, WIN 7-10, WIN SRV 03-12r2
Posts: 1,309

Rep: Reputation: 98
Well start with looking at the output of ps -aux and then also check your cron jobs, and look at your logs, use a log analyzer if you need to. YOu could also try scanning with clamAV, and maybe a commercial AV, maybe like Kaspersky, I don't know if they offer free scanning for linux from their website but it may be worth a try.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to make my PERL script start automatically when my HP-UX and IBM-AIX box boots up Nings Programming 1 11-26-2008 04:43 AM
How to run a script that will automatically start FTP service after installation? reshmpv Linux - Newbie 2 08-18-2008 08:56 AM
start own script during the startup automatically cccc SUSE / openSUSE 11 03-13-2006 04:40 PM
jboss script does not automatically start hillel Red Hat 4 02-13-2006 08:26 AM
How to create a tiny script and make it start automatically tchigi Linux - Newbie 2 11-28-2003 04:48 AM


All times are GMT -5. The time now is 01:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration