So I had to hit the server's reset key (ugh) ... about 15 minutes later after the auto fsck, everything looks ok.
This is a publicly available server, so my main concern is that someone has r00ted me. I have been keeping up to date on security patches that Debian puts out.
I waded through logs (nothing suspicious, though there were several attempts to do one of those "/SEARCH [long uri]" in its apache access.log -- it was one of the last entries). In /var/log/messages, I get a MARK every 20 minutes ... there's a big gap between the last mark at 3:56am and when I restarted the server at 8:46. In the mail.log file, the gap starts at 4:08, so that's when I think something happened (I have a co-worker that POP's his mail every minute ;)).
I also ran a 'chkrootkit', but that didn't turn anything up.
I did a netstat -atu and there are a couple of entries there that I don't know about:
tcp 0 0 *:32768 *:* LISTEN
udp 0 0 *:821 *:*
udp 0 0 *:1111 *:*
Is there any way to see what process is tied to those ports?
Can anyone point me in a direction to figure out what happened? Random hardware glitch or something else?
Thanks,
Jason -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
