[CentOS] Machine becoming irresponsive

Mon Jan 23 15:26:08 UTC 2012
Giles Coochey <giles at coochey.net>

On 2012-01-23 15:13, Dotan Cohen wrote:
> On Mon, Jan 23, 2012 at 16:23, Phil Schaffner
> <Philip.R.Schaffner at nasa.gov> wrote:
>> I'd have a look at why an apparently Internet-facing server is 5 
>> point
>> releases, plus a lot of subsequent errata, behind the current 5.7
>> release level; and what resultant vulnerabilities might have been 
>> exploited.
>>
>
> Thanks. There are a lot of very specific software on that server that
> precludes it from being updated. I believe that 5.2 still is seeing
> security updates, no?
>
> In any case, a complete reinstall with either 5.2 or a latter version
> is pretty much out of the question for now, though I will try to see
> what needs to be done in that direction. In the meantime, where 
> should
> I concentrate my efforts?
>
I think it has been intimated to you that the reason the system has 
been acting slowly is because it has already been compromised. A system 
acting in an unresponsive manner is a symptom that it has been 
compromised.

You may not want to take the system offline, but you cannot trust your 
system to tell you anything while it is online in a compromised state.

You could take a packet capture of what is going through it's network 
port (using a SPAN port on the switch), and analyse that for strange 
port activity.

Otherwise, I would shut it down, make a complete copy of the hard disk 
having booted off a live or rescue CD and analyse the copy (you can 
bring the system back up while you analyse the copy, but of course you 
may put your other systems at risk by doing so).