On 2012-01-23 15:13, Dotan Cohen wrote: > On Mon, Jan 23, 2012 at 16:23, Phil Schaffner > <Philip.R.Schaffner@xxxxxxxx> wrote: >> I'd have a look at why an apparently Internet-facing server is 5 >> point >> releases, plus a lot of subsequent errata, behind the current 5.7 >> release level; and what resultant vulnerabilities might have been >> exploited. >> > > Thanks. There are a lot of very specific software on that server that > precludes it from being updated. I believe that 5.2 still is seeing > security updates, no? > > In any case, a complete reinstall with either 5.2 or a latter version > is pretty much out of the question for now, though I will try to see > what needs to be done in that direction. In the meantime, where > should > I concentrate my efforts? > I think it has been intimated to you that the reason the system has been acting slowly is because it has already been compromised. A system acting in an unresponsive manner is a symptom that it has been compromised. You may not want to take the system offline, but you cannot trust your system to tell you anything while it is online in a compromised state. You could take a packet capture of what is going through it's network port (using a SPAN port on the switch), and analyse that for strange port activity. Otherwise, I would shut it down, make a complete copy of the hard disk having booted off a live or rescue CD and analyse the copy (you can bring the system back up while you analyse the copy, but of course you may put your other systems at risk by doing so). _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos