At 1:10PM we turned off the static server because we were pretty sure it had been hacked, for two reasons:
1. We had received a notice from myNetWatchman with a list of attempts the machine had made to compromise other systems that had the monitoring software installed.
2. We had just finished installing a new sharepoint, and as we were preparing to reconfigure the content system to write through that point, Apache stopped responding, and we saw a flood of traffic coming out of the machine, consistent with what the email said the machine was doing.
At that point we shut it down, and I posted an outage report on Scripting News.
It appears to have been a false alarm for two reasons:
1. Lawrence had the presence of mind to read the email carefully, and noted that all the dates were before we had done the switch to the new server. So the email contained no new information. It was simply telling us that the old server had been hacked. We already knew that. ;->
2. Then we re-examined our assumption that the current static server had been hacked and decided it was worth a test to see, if we backed off the new share, if the machine would go back to its previous performance. It did.
While you can never assume that you're in the clear, and we serve at the pleasure of Murphy, it appears that the static server is working, and we're assume it it was our newbieness with Linux that caused the outage, because it's running OK without the share.
We had a Plan B, which we are now getting ready to execute. It will take a few hours, but we're really optimistic about it.
Dave
3:24:29 PM Google It!
|