Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: server 12.04 goes to sleep/hibernates and I don't know why

  1. #11
    Join Date
    Dec 2010
    Location
    Torino
    Beans
    101

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    Hello,

    I think the interesting lines from dpkg.log are the following:

    013-01-05 14:17:21 upgrade grub-pc 1.99-21ubuntu3.4 1.99-21ubuntu3.7
    2013-01-05 14:17:22 upgrade grub-pc-bin 1.99-21ubuntu3.4 1.99-21ubuntu3.7
    2013-01-05 14:17:23 upgrade grub2-common 1.99-21ubuntu3.4 1.99-21ubuntu3.7
    2013-01-05 14:17:24 upgrade grub-common 1.99-21ubuntu3.4 1.99-21ubuntu3.7
    2013-01-05 14:18:03 upgrade mountall 2.36 2.36.3
    2013-01-05 14:18:14 upgrade unattended-upgrades 0.76 0.76ubuntu1
    i remember installing a package having "security upgrades" as a description, but I'm not sure it's among the one above or which one could be.

    Also, I'm very glad the situation seems to be solved, but I'd like very much to find out at least where from someone got in, (how, why, and who would be all welcome). The problem is that I really do not know where to look. Reading log messages didn't give me too much insight (although I admit having a S.O. exam soon)... a hint on where to start looking would be much appreciated : )

  2. #12
    Join Date
    Nov 2009
    Beans
    Hidden!

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    The packages you mentioned are not exactly web services.

    Unless you were infected by a rootkit in your mbr/grub, then you have simply deleted the rootkit but are still infected.

    I'm not even sure if the Grub installation/upgrade procedure rebuilds the MBR of your disk/partition.

    It's highly likely those packages did not solve your problem.
    linux-git/fs/super.c: "Self-destruct in 5 seconds. Have a nice day...\n",

  3. #13
    Join Date
    Dec 2010
    Location
    Torino
    Beans
    101

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    ok, thanks for the warning. when I have time I might do a clean reinstall after backing up all my data.
    But I would really really like to understand how this happened...... is it that difficult to analyze these situations? thanks!

  4. #14
    Join Date
    Nov 2009
    Beans
    Hidden!

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    I'm not familier with computer forensics. What I would do:

    - disable each service one by one see which one is vulnerable
    - on the percieved vulnerable service narrow down ip source
    - attach tcpdump for that ip
    - see what he/she/it is doing

    Long shot, but should not take *much* effort. Furthermore, you could check all your logs and such. Look for unfamiliair kernel messages, segvaults and users logging on and off.

    Maybe set up an external box for logging over UDP. In case the server crashed you have everything till it shuts down. Maybe you can see a pattern in there.
    linux-git/fs/super.c: "Self-destruct in 5 seconds. Have a nice day...\n",

  5. #15
    Join Date
    Dec 2010
    Location
    Torino
    Beans
    101

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    Thanks for your suggestion.
    I tried cross checking system logs and tcpdump (via snort/acid base).

    picking one particular ip, this is what I found in auth.log (repeatedly during the day, apparently with no success)

    Jan 8 11:31:53 okovita.fastwebnet.it sshd[11926]: Invalid user r00t from 220.172.107.211
    Jan 8 11:31:53 okovita.fastwebnet.it sshd[11926]: input_userauth_request: invalid user r00t [preauth]
    Jan 8 11:31:53 okovita.fastwebnet.it sshd[11926]: pam_unix(sshd:auth): check pass; user unknown
    Jan 8 11:31:53 okovita.fastwebnet.it sshd[11926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.172.107.211
    Jan 8 11:31:55 okovita.fastwebnet.it sshd[11926]: Failed password for invalid user r00t from 220.172.107.211 port 3648 ssh2
    Jan 8 11:31:55 okovita.fastwebnet.it sshd[11926]: Received disconnect from 220.172.107.211: 11: Bye Bye [preauth]
    same ip, in snort, has hundreds of log alerts saying:

    COMMUNITY SIP TCP/IP message flooding directed to SIP proxy - attempted dos-attack
    but I'm not really sure how to interpret it. Looking for it didn't give me too much insight


    Also, using snort I am able to see what the "attackers" sent. Packages data is exadecimal: should I try put all these packages sent together to recreate the instructions they're sending and eventually understand it?

    the instructions (omitting NOP) are something like
    ts 0002533303FB4F03
    sack EE068060EE068608
    ts 0003F42403FF610E
    ts 0003F42403FF610E
    ts 0004107303FFA80E
    ts 0004107303FFA80E
    ts 000421C703FFD27A
    ts 000421C703FFD27A
    ts 00043755040008F3
    sack EF699C15EF69A765
    ts 00043755040008F3
    sack EF699C15EF69A765
    Last edited by sowdust; January 9th, 2013 at 12:15 AM.

  6. #16
    Join Date
    Nov 2009
    Beans
    Hidden!

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    Then that probably is not the cause of your box shutting down.

    Ever considered using the 'recent' firewall module? I find it quite nifty. You can allow an access attempt every 10 minutes by filtering tcp syn packets.
    linux-git/fs/super.c: "Self-destruct in 5 seconds. Have a nice day...\n",

  7. #17
    Join Date
    Dec 2010
    Location
    Torino
    Beans
    101

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    Hi Rexilon,

    I think I have understood the problem. My ISP - called Fastweb - uses the same IP for more clients; I found out there is the possibility of renting a public IP, which is though ridiculously expensive. I believe I have been kicked out by the ISP itself. What really intrigues me is how can they almost shut my server down (if this is the case)

    And again thank you for your help : )

  8. #18
    Join Date
    Nov 2009
    Beans
    Hidden!

    Re: server 12.04 goes to sleep/hibernates and I don't know why

    Quote Originally Posted by sowdust View Post
    What really intrigues me is how can they almost shut my server down (if this is the case)
    That is a crime in my country...

    Glad you somewhat worked it out .
    linux-git/fs/super.c: "Self-destruct in 5 seconds. Have a nice day...\n",

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •