[nzlug] compromised server?
Michael J. Knox
michael at knox.net.nz
Thu May 10 14:25:57 NZST 2007
> Hiho,
>
> sorry to come up with another noob question.
>
> I have an old toshiba protege from the late ninties that has been happily
> running ubuntu 6.4 for quite some time now. Uptime has been perfect and I
> never had any probs with it.
>
> The LAMP setup is Wordpress 2.02 with Mysql/PHP and the Toshiba's puny
> procesor has so far been happily performing all it's duties with adequate
> speed. This week I noted a sudden performance decrease with some weird
> network problems and I wonder whether the thing has been compromised.
> Wordpress is not the safest tool in the world, and the version that I am
> running is not particularly new, and who knows, maybe my password was too
> easy to crack.
>
> Anyway, if the computer would have been hacked, any idea where I should
> start looking?
>
> Thanks for not being too pissed off at pointing out the bleeding obvious.
>
> Dirk
Log files, /var/log/, shell history of the users you have on the install
are probably good places to start. Does sudo under ubuntu log to its own
file? I am not sure, debian sarge doesn't by default. I use logwatch to
tell me some of the above.
apache logs, /var/log/apache2/, would probably provide useful insight.
Best run of thumb is to keep those public facing services and apps updated
:-)
Michael
More information about the NZLUG
mailing list