> > [...] the long sequences (overruns) on rpc statd in the logs? > > It makes me feel very smug that I upgraded months ago :-)
:P it was an odd one. i think i|we killed portmap but stupidly didnt take it out of init.d, we have run nessus on it on occasion and been clean, then it crashed the other week. the breakin seemed so clumsy. there was a dodgy root entry in /etc/passwd and a spate of logins there in the lastlog clear as day, and syslogd was just *stopped* about 18:30. then at some point all services were stopped - i'd be interested to know what time tuesday night anyone remembers last getting meaningful information from it - there was a mad flood of activity on our network for about an hour late at night, disrupting access. there was an ssh session left open. all the logins came from a chello.nl address. i did a quick find for interesting files and didnt see anything obvious. i know we could|should have saved the data for postmortem, but you know how it is. we ran minimal services and had a tcp logger picking up portscans and the like, but did nothing proactive really other than the occasional scan. i think alex may want to install snort on it, and there is ipchains as well to be configured, maybe install portsentry as well. anyway it is all right now until robin gets his hands on it and surprises me with half a dozen local sploits and a fresh entry in root's authorized_keys :) blech++ again for sorting it all out so fast and well. you may have to ask alex for things the next few days as i will be away at http://squat.net/pnp/ have a good one tonight, shame to miss it. z