Hello All,

We have a server running with RHE 3, Apache, Php, Mysql and Bind. It's our main production server.

Now the problem we faced day before was something very weird. All of the sudden all the services on the server stopped responding, we couldn't ssh into the server, we couldn't see the sites, couldn't fetch mails and so on.

We could ping the server though, ping was going fine, but we just couldn't access the server in any way.

Now the question I would like to ask you guys is, if such problem occurs again, how to trace it. I tried to check /var/log/messages but all I found were portsentry's messages.

If we were under attack, or if the server was hacked, how do we trace it? Are there any guidelines or links through which we can possibly know what cause our server to respond all of the sudden?


Thanks in Advance.

Just out of interest, did you have to reboot or did the problem resolve itself?

Greetings:

Check /var/log/boot.log

Make sure your server is hardened, and the hardening is up to date. That includes making sure you are on the latest kernel.

If the freeze ups occur within a given time range, consider running a cron job every x minutes to collect data which may be helpful in diagnosis such as server load, "ps -efl" etc.

Thank you.

topgun, had to reboot.

dynamicnet, will check it.

Anything else?

Sounds like a runaway script -- or massive DDoS attack.

Had the same thing happen to one of our Servers awhile back and even a DC tech (according to them) could not login. A reboot was the only solution. Hasn't happened again though, but I now monitor our Servers more closely then before. ;)