LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-08-2013, 03:40 AM   #1
yashar
LQ Newbie
 
Registered: Nov 2013
Posts: 3

Rep: Reputation: Disabled
suspicious reboot


hi,

one of my servers rebooted, there is only ssh and tomcat listening to outside world. ssh is secured but i dont know how could someone intrude to server via tomcat, change something and reboot.
i checked log files, there is no single line of log in messages log for days which is scary.
i checked tripwire report, unfortunately tripwire didnt include webpage directory but the other system files are clean.

what should i checked? this is accounting server and need more attention.

looking for your guides.
 
Old 11-09-2013, 02:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
I would first ensure that measures are in place (after all this is an "accounting server") that provide an audit trail like running the audit service with a relevant rule set, ensuring user login and connection logging is in place, enabling remote kernel dumps, set up hardware and service monitoring and complement it with remote logging. Then I'd look at possible hardware problems because until you have checked all files and user login records on the server and correlated log entries with file modification times, user login records and (if possible) any logging proxies, routers or adjacent machines provide there's no clue this could be a compromise of security.
 
Old 11-10-2013, 06:24 AM   #3
yashar
LQ Newbie
 
Registered: Nov 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
thank you, i checked with the company that host the server, they said it was a maintenance issue and they didnt clear out more, but i dont know how they could reboot the system without password.
 
Old 11-10-2013, 07:27 AM   #4
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,310

Rep: Reputation: 223Reputation: 223Reputation: 223
Quote:
Originally Posted by yashar View Post
hi,

one of my servers rebooted, there is only ssh and tomcat listening to outside world. ssh is secured but i dont know how could someone intrude to server via tomcat, change something and reboot.
i checked log files, there is no single line of log in messages log for days which is scary.
i checked tripwire report, unfortunately tripwire didnt include webpage directory but the other system files are clean.

what should i checked? this is accounting server and need more attention.

looking for your guides.
check out logs that might give you hint.

or type: dmesg | tail -f

check out if it will give you something.
 
Old 11-10-2013, 08:54 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Quote:
Originally Posted by JJJCR View Post
check out logs that might give you hint.
The OP already said "i checked log files, there is no single line of log in messages log" so what log file(s) specifically?


Quote:
Originally Posted by JJJCR View Post
or type: dmesg | tail -f
The kernel ring buffer gets cleared on boot.
 
Old 11-10-2013, 08:58 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Quote:
Originally Posted by yashar View Post
thank you, i checked with the company that host the server, they said it was a maintenance issue
If they didn't contact you beforehand or reported afterwards themselves then it indeed is a maintenance issue ;-p


Quote:
Originally Posted by yashar View Post
i dont know how they could reboot the system without password.
Is it a virtual or physical machine?
 
Old 11-10-2013, 12:35 PM   #7
yashar
LQ Newbie
 
Registered: Nov 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
i checked dmesg, security, mail log files, no need for checking ssh and fail2ban as they are secure. this is a vm.

Quote:
If they didn't contact you beforehand or reported afterwards themselves then it indeed is a maintenance issue ;-p
actually the server is giving service to their own company.


thanks for following
 
Old 11-10-2013, 03:26 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Quote:
Originally Posted by yashar View Post
this is a vm.
That's it then. They just access some dom0 maintenance interface and force a reboot.
 
Old 11-10-2013, 03:38 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Moved: Since this isn't a security issue this thread is more suitable in the Newbie Forum Name and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspicious popup Ulysses_ Linux - Security 7 01-04-2011 07:51 PM
I got a suspicious link, what is it? math_physics Linux - Security 6 03-21-2006 03:57 AM
Logwatch: suspicious output mdw10 Linux - Security 2 02-18-2006 02:11 PM
suspicious log activity hoedad Linux - Newbie 3 07-26-2004 07:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration