[TriLUG] Server Oddness

Nathan Conrad conrad at bungled.net
Fri Jul 2 11:24:07 EDT 2004 

I was mention of a remote DoS attack for the Linux kernel last
night. This probably did not effect you, but if you've seriously
upgraded your Woody machine, it could have effected.

What I read says it requires a 2.6 kernel, that it is running
IPTables, and you have a rule that will be executed for a packet that
contains the --tcp-option. (Fairly unlikely, as I mentioned.) The
result is a particular set of packets will make the kernel hang. I
wonder if hanging kernel thread could be preempted... hmm.

Anyway, details are at http://www.securityfocus.com/archive/1/367615

From my experience, hangs like this are usually due to bad hardware. I
don't know why anyone putting a rootkit on your computer would want to
crash it, unless it was written for a different kernel and caused your
kernel to crash?

-Nathan

On Fri, Jul 02, 2004 at 09:34:48AM -0400, Jason Purdy wrote:
> When I came into work today, our (Debian Woody) mail server wasn't 
> responding (my previous SSH connection was 'hung' and IMAP/POP 
> connections wouldn't work and pings were not responsive, either) and I 
> went to the console and plugged in a monitor and it was a black screen 
> (hitting the space bar or enter key didn't do anything).
> 
> So I had to hit the server's reset key (ugh) ... about 15 minutes later 
> after the auto fsck, everything looks ok.
> 
> This is a publicly available server, so my main concern is that someone 
> has r00ted me.  I have been keeping up to date on security patches that 
> Debian puts out.
> 
> I waded through logs (nothing suspicious, though there were several 
> attempts to do one of those "/SEARCH [long uri]" in its apache 
> access.log -- it was one of the last entries).  In /var/log/messages, I 
> get a MARK every 20 minutes ... there's a big gap between the last mark 
> at 3:56am and when I restarted the server at 8:46.  In the mail.log 
> file, the gap starts at 4:08, so that's when I think something happened 
> (I have a co-worker that POP's his mail every minute ;)).
> 
> I also ran a 'chkrootkit', but that didn't turn anything up.
> 
> I did a netstat -atu and there are a couple of entries there that I 
> don't know about:
> tcp 0 0 *:32768 *:* LISTEN
> udp 0 0 *:821 *:*
> udp 0 0 *:1111 *:*
> 
> Is there any way to see what process is tied to those ports?
> 
> Can anyone point me in a direction to figure out what happened?  Random 
> hardware glitch or something else?
> 
> Thanks,
> 
> Jason
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc

-- 
Nathan J. Conrad 
Chapel Hill, NC, USA                 http://bungled.net
GPG: F4FC 7E25 9308 ECE1 735C  0798 CE86 DA45 9170 3112
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040702/fee848f8/attachment.pgp>

More information about the TriLUG mailing list