[TriLUG] Server Oddness

Jason Purdy jason at journalistic.com
Fri Jul 2 11:41:02 EDT 2004 

Thanks, Nathan ... uname -a shows a 2.4 kernel, confirming my suspicions 
about Woody -- I really didn't think Woody had 2.6.

Any way to track down the bad hardware?

Jason

Nathan Conrad wrote:
> I was mention of a remote DoS attack for the Linux kernel last
> night. This probably did not effect you, but if you've seriously
> upgraded your Woody machine, it could have effected.
> 
> What I read says it requires a 2.6 kernel, that it is running
> IPTables, and you have a rule that will be executed for a packet that
> contains the --tcp-option. (Fairly unlikely, as I mentioned.) The
> result is a particular set of packets will make the kernel hang. I
> wonder if hanging kernel thread could be preempted... hmm.
> 
> Anyway, details are at http://www.securityfocus.com/archive/1/367615
> 
> From my experience, hangs like this are usually due to bad hardware. I
> don't know why anyone putting a rootkit on your computer would want to
> crash it, unless it was written for a different kernel and caused your
> kernel to crash?
> 
> -Nathan
> 
> On Fri, Jul 02, 2004 at 09:34:48AM -0400, Jason Purdy wrote:
> 
>>When I came into work today, our (Debian Woody) mail server wasn't 
>>responding (my previous SSH connection was 'hung' and IMAP/POP 
>>connections wouldn't work and pings were not responsive, either) and I 
>>went to the console and plugged in a monitor and it was a black screen 
>>(hitting the space bar or enter key didn't do anything).
>>
>>So I had to hit the server's reset key (ugh) ... about 15 minutes later 
>>after the auto fsck, everything looks ok.
>>
>>This is a publicly available server, so my main concern is that someone 
>>has r00ted me.  I have been keeping up to date on security patches that 
>>Debian puts out.
>>
>>I waded through logs (nothing suspicious, though there were several 
>>attempts to do one of those "/SEARCH [long uri]" in its apache 
>>access.log -- it was one of the last entries).  In /var/log/messages, I 
>>get a MARK every 20 minutes ... there's a big gap between the last mark 
>>at 3:56am and when I restarted the server at 8:46.  In the mail.log 
>>file, the gap starts at 4:08, so that's when I think something happened 
>>(I have a co-worker that POP's his mail every minute ;)).
>>
>>I also ran a 'chkrootkit', but that didn't turn anything up.
>>
>>I did a netstat -atu and there are a couple of entries there that I 
>>don't know about:
>>tcp 0 0 *:32768 *:* LISTEN
>>udp 0 0 *:821 *:*
>>udp 0 0 *:1111 *:*
>>
>>Is there any way to see what process is tied to those ports?
>>
>>Can anyone point me in a direction to figure out what happened?  Random 
>>hardware glitch or something else?
>>
>>Thanks,
>>
>>Jason
>>-- 
>>TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>TriLUG Organizational FAQ  : http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 
>

More information about the TriLUG mailing list