;), Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley said that
> Hi all,
> (Let me know if this belongs in -questions)
> I could sure use some help interpreting this.  A 4.6.2-RELEASE-p2 system
> (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages
> like:
try run latest sendmail with patch :) .... and upgrade your box
> /kernel: file: table is full
i know it :) 
> along with related messages, then a core dump.  (syslog for this date is
> below.)
> I took this as a side effect of a recent spamassassin install/upgrade (2.41)
> and increased kern.maxfiles to 8192 and max.vnodes to 16384.  As the system
my kern.maxfiles is set to: 65536 and max.vnodes to 8662
and try to set up /etc/login.conf see:  man login.conf and all section of files  :) 
for users 
> started to recover for fun I ran chkrootkit which came back with this:
try compile lsof is better for ports
> Checking `bindshell'... INFECTED (PORTS:  114)
uf audionews port
> A few minutes later and ever since chkrootkit returns:
> Checking `bindshell'... not infected
> netstat -an  doesn't show anything on 114 and nothing unusual.
telnet localhost 114 
but it can't help you 


#cd /usr/src/usr.sbin/named
#make && make install && make clean

and restart named
> The system is on a dmz with ports 25, 53 and 110 mapped through.  Running
> chkrootkit on the firewall reported this:
> Checking `bindshell'... not infected
> Checking `lkm'... not tested: can't exec ./chkproc
try to recompile linux ksec that's good for adreses of system calls
or run:
#nm kernel | grep -v '\(compiled\)\|\(\.o$$\)\|\( [aUw] 
\)\|\(\.\.ng$$\)\|\(LASH[RL]DI\)' | sort 

to see you syscalls adreses :)
> Checking `rexedcs'... not found
> Checking `sniffer'...
> xl0 is not promisc
> xl2 is not promisc
> I'm not sure what to think about "can't exec ./chkproc".  Also the xl1
> interface is not reported in the output and is the dmz interface that the
> above machine is on.  ifconfig shows:
>         inet netmask 0xffffff00 broadcast
>         inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2
>         ether 00:60:08:31:e4:b0
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> Any comments would be greatly appreciated.
> Thanks,
> Riley
> "That which does not kill us makes us stranger."
>                                              --Kimchi
> Oct  7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
> I/O  error on connection from [], from=<[EMAIL PROTECTED]>
> Oct  7 08:45:13 aji /kernel: file: table is full
> Oct  7 08:45:14 aji last message repeated 38 times
> Oct  7 08:46:27 aji last message repeated 35 times
> Oct  7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect:
> I/O error on connection from adsl-63-rev-addr,
> Oct  7 09:22:17 aji /kernel: file: table is full
> Oct  7 09:22:20 aji last message repeated 17 times
> Oct  7 09:23:21 aji last message repeated 16 times
> Oct  7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0):
> <[EMAIL PROTECTED]>... openmailer(local): pipe (to mailer): Too many open
> files in system
someone play with you :)
> Oct  7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot
> open hash database /etc/mail/aliases.db: Too many open files in system
> Oct  7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in
> system
> Oct  7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
> Oct  7 09:25:42 aji /kernel: file: table is full
> Oct  7 09:25:43 aji last message repeated 4 times
> Oct  7 09:29:58 aji /kernel: file: table is full
> Oct  7 09:30:44 aji last message repeated 107 times
> Oct  7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
> (core
>  dumped)
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-security" in the body of the message
20:57  up 2 days,  3:31, 4 users, load averages: 0,00 0,00 0,00
FreeBSD 5.0-CURRENT #16: root@kripel:/usr/src/sys/i386/compile/angel
powered by rado

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to