Hi John!
I'm not familar with the syslog output you have, but I assume the "(113)" is
a port number on the remote system - that's likely the identd process, which
is frequently used to either:
1) Verify the identity of a mail sender.
2) Discover potential user names on a system.
So, going *way* out on a limb here, I'd say that you have a gazillion sendmail
processes and the system has run out of process slots. Either someone is trying
to use your system as spam relay or its a deliberate attempt to swamp your
system. Probably the former (why else would your system be trying to autheticate
a remote user).
Assuming this is a linux box with a default sendmail configuration, if you
disconnect the network cable, then usually the system will come back after about
10 minutes (and most/all the sendmail processes have died off). But you have to
be quick and stop the sendmail daemon, otherwise the spammer will flood the
system again.
--Bruce
Quoting Lori Hitchcock <[EMAIL PROTECTED]>:
> -----Original Message-----
> From: John Abreau [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, August 28, 2000 12:46 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Possible DoS attack?
>
> We lost access to a server at work; unfortunately, the server is in New
> York, and one of us is on the way to Logan to fly out there and reboot
> the
> machine, but he probably won't even arrive there until 4:00 or so.
>
> At this point we can ping the system, but we can't access it at all. Ssh
> is apparently down, as is apache, sendmail, and inn. It responds to all
> connection requests instantaneously with a "Connection refused" error,
> which makes me suspect that the refusal is happening at the IP level,
> before the system has a chance to look at the packet.
>
> In the meantime, we got a report from someone that the system is
> pounding
> their network on port 113, at roughly 50-60 request per minute. The
> excerpt from their logs looks like thes (ip addresses obscured):
>
> Aug 25 08:00:14 avgo-br2 avgo-br2, list 101 denied tcp
> xxx.xxx.xxx.xxx(13361)(Ethernet v2 0050.2ac2.14a0) ->
> yyy.yyy.yyy.yyy(113), 1 packets
>
> Does this look familiar to anyone? Is this characteristic of any type of
> break-in?
>
> Another thing that occurs to me: we had just migrated an old server to
> this one last week, which included installing inn. I understand inn can
> be
> a resource pig; could the above behavior be a side effect of inn running
> out of control?
>
> --
> John Abreau / Executive Director, Boston Linux & Unix
> ICQ#28611923 / AIM abreauj / Email [EMAIL PROTECTED]
>
>
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to [EMAIL PROTECTED] (Subject line is ignored).
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
-------------------------------------------------
This mail sent through IMP: brucedawson.ne.mediaone.net
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
