On Mon, Jan 23, 2012 at 9:13 AM, Dotan Cohen dotancohen@gmail.com wrote:
On Mon, Jan 23, 2012 at 16:23, Phil Schaffner Philip.R.Schaffner@nasa.gov wrote:
I'd have a look at why an apparently Internet-facing server is 5 point releases, plus a lot of subsequent errata, behind the current 5.7 release level; and what resultant vulnerabilities might have been exploited.
Thanks. There are a lot of very specific software on that server that precludes it from being updated. I believe that 5.2 still is seeing security updates, no?
No, if you were doing updates, you would be at 5.7 now. It you aren't doing updates there are well known exploits against anything earlier than 5.4 or so.
In any case, a complete reinstall with either 5.2 or a latter version is pretty much out of the question for now, though I will try to see what needs to be done in that direction. In the meantime, where should I concentrate my efforts?
First you have to make sure that the tools you are going to use for diagnosis haven't been compromised. An rpm -Va is a first cut at finding files that are changed from the copies distributed. Also, if you have a known-good backup or offline system, run md5sum on netstat, top, ps, lsof, ssh and sshd and compare to the versions on this system. If it is just a software bug, it may be a program not closing files or leaking memory. Netstat or lsof should show open files and connections - if they keep going up, look for the process causing it. Top will show what is using memory. Ps will show the running processes - look for anything you don't expect to be running. If you have mysql running, try 'mysqladmin status' and see if you have many 'slow queries'.