>Hi all, 
>
>AFAICT, my ancient 1.4.2 i386 firewall-cum-mailhub went south at 6:04 AM
>today.  That's the last mail I received, the last message from named, the
>end of /var/log/messages.  I don't find evidence anywhere that anyone else
>logged in.  When I looked at the console, it was in the kernel debugger. 
>OK, I don't know, 100 days uptime or something, I'm not complaining.  
>
>I didn't realize anything was wrong until 13 hours later, at ~19:00.  
>
>What puzzles me is that on restarting, the system still thought it was
>6:04 (or so).  I killed ntpd, ran date(1) to approximate the time,
>ntpdate(8) to fix it, and restarted ntpd.  
>
>Is the TOD clock initialized from time information on the root filesystem,
>or is it possible my system was compromised and tampered with?  

ntp is obviously not working, *_and_* the CMOS clock is off? I'm not 
familiar with any compromise that would do this, but it does sound 
suspicious, especially since this is the machine that faces onto the 
Internet, running a firewall, mail and bind. I would do a data backup and 
then format/re-install just to satisfy my own sense of paranoia.

If it was a compromise, my guess is that the perp needed you to reboot to 
activate a "new" kernal with some additional "bonuses". Considering the 
age of the machine and the distro you're running, my guess is that you're 
using older versions of bind and possibly sendmail? Both are susceptible 
to buffer overruns in older versions, which would provide an entry point.

Good luck with it.

-- 
Keith Mastin       BeechTree Information Technology Services Inc.
137 Laird Drive    Toronto    M4G 3V5     http://www.beechtree.ca
  (416)696-6070      Fax(416)696-6072      kmastin@beechtree.ca