[ale] remote investigation

John Wells jwells at secureworks.com
Tue Sep 2 08:31:18 EDT 2003


Guys,

Came back from the Labor Day holiday and my mail server/web server is acting
rather odd.

Services respond rather slowly, and sometimes not at all.  When services
stop responding, I can still hit the router, so I know it has to be the
server itself.

I'm currently logged in remotely and everything seems good, if not slow, but
I expect it to freeze soon (it has a few times in the last hour or so).
When it freezes, I can usually get a response after about 20 minutes or so.

The odd thing is, when services do "freeze" up, I can still telnet to a port
on the machine, like 25 for smtp, and get a connection.  However, the SMTP
server fails to respond and I just sit there.

I guess I'm kind of at a loss as to what sort of investigation I can do
remotely.  I suppose the best way to see what's going on is to attempt to
repeat the problem from home with a monitor connected and to see if it's
actually doing anything during these timeouts, but I'd like to come home
armed with any equipment that might be required.

Anyone had a similar experience in the past?  Does this sound like a
possible bad NIC/harddrive/etc?  My first thought was that the box may have
been compromised, but it'd be a wierd attack to let someone in every few
minutes or so.  Netstat doesn't show anything unusual going on when I'm in,
at least.

Any tests I could run against NIC/harddrive/etc to check for malfunctioning
hardware?

Thanks for humoring the grasping at straws.  I'm frustrated, and clear
thought is not currently an option... ;-)

John


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list