scsi crash???
hi all! i don t know if this is or not a security problem, but it could be because just one of our servers was down... so i join a little part of the /var/log/messages (12KB of 30MB). run on this server a 2.2r5 updated, apache, mysqld, proftpd and sshd. somebody know what arrived? thanks in advance ;) Ivan R. sysadmin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scsi crash??? (oups i forgot the /var/log/message :p)
thanks in advance again ;) Ivan R. sysadmin Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x7 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a # # Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0
portsentry woes
I installed portsentry lately, and I'm being constantly warned about UDP connect attempts that I can't otherwise detect, from a machine that (as far as I can tell) isn't trying to connect. I installed portsentry on the machine 'izzy' with apt-get portsentry. Default settings. The machine 205.XXX.216.233 is the gateway given to me by the co-location facility. I've been getting constant messages like the following: Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring It used to warn me about UDP port 69, but I edited /etc/portsentry/portsentry.conf and changed the UDP_PORTS line. Now it's warning me about port 9. Thing is, I've used tcpdump and ngrep to listen for any UDP traffic to find out what the content of port 69 (Trivial FTP) or port 9 (discard) might be... but I'm not detecting traffic destined for either port, despite this warning-storm. The warnings themselves are cluttering up my syslogs, I'll have to switch to something else. Can someone explain to me why portsentry is giving what looks like false postitives? Alternately, can someone suggest an alternative? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Makejail
On Tuesday, February 19, 2002, at 09:05 AM, Davy Gigan wrote: I would also notify another evident thing : due to the fact i'm running two syslog-ng servers on my machine, the configure script killed all of them = normal. No that is normal. The scripts should be using pid files. To quote policy: The init.d scripts should ensure that they will behave sensibly if invoked with start when the service is already running, or with stop when it isn't, and that they don't kill unfortunately-named user processes. The best way to achieve this is usually to use start-stop-daemon. Unfortunately ( ;-) it's only 'should', not 'must'. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
syslog messages
Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 blah blah blah Thanks in advance ! Marcel Something along the lines of an old statd exploit. I believe this DSA[1] is the one that covers it, and also this CERT Advisory [2]. I would personally believe that the attack was unsuccessful, since it did write it to the log (rather than crash and give the attacker a shell), but the CERT advisory leads me to think otherwise. Check your version of nfs, 0.1.9.1-1 or better should be fixed. [1] http://www.debian.org/security/2000/2719a [2] http://www.cert.org/advisories/CA-2000-17.html Hope I have helped. - Will Wesley, CCNA Furious activity is no substitute for understanding. -- H.H. Williams -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? Marcel Steve Mickeler wrote: Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random ..-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
-BEGIN PGP SIGNED MESSAGE- On Thu, 21 Feb 2002, Marcel Welschbillig wrote: I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? You should only allow necessary connections in your firewalling setup and deny everything else. Alex - -- Life is what happens to you while you're busy making other plans. John Lennon -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBPHRyQWWTYnZjEXP1AQHahgP7B7l3t1MGLW/o4NgUBKw7iBeS4hDeGujq 2ZnHPdahemSikFC4uZfqOv9CQGd/1aEzF+8X1GrTeAywUXmZej31WoBq6uAeGp/Y /ogBZLasznDoc1/i4lo5PQpx1tZDVwssJzJ2DNFzQO8JhfmfHqIFliN5B4+QDzhk 2IGNMdjFIKQ= =SNHP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
PPPoverEthernet vs. PPPoverATM
I'm about to turn to ADSL connection to Internet and I'm taking in consideration all the choises the Provider offer. I was surprised in seening they offer an ADSL service not only using the PPP-over-Eth protocol, but also with the PPP-over-ATM. So my question is: if I choose the second system, is debian support it? what is the best configuration (I think I will use the following hardware: ADSL modem + Cisco 25xx router through Ethernet cable connection)? Thanx in advance! §§ GNU/Debian Linux RULES anyhow! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? There is a bug in nfs-common_0.1.9.1 in Potato ( #111990 Hi, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=111990archive=yesrepeatmerged=yes ) This bug is NOT related to your problem (nor any security problem, except putting garbage in logcheck mails), but you may be interested. dists/potato/main/binary-sparc/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_sparc.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_sparc.deb You should use nfs-common_0.1.9.1-1.potato1 to avoid this problem. Can somebody explain me why the replacement 0.1.9.1-1 - 0.1.9.1-1.potato1 is not automatically done be apt ? My /etc/apt/source.list is: deb ftp://LOCAL_MIRROR/pub/debian stable main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-non-US stable/non-US main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-security stable/updates main contrib non-free (LOCAL_MIRROR is one of our boxes mirroring ftp.fr.debian.org and security.debian.org, just for our own needs). -- Benoît Sibaud RD Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scsi crash???
hi all! i don t know if this is or not a security problem, but it could be because just one of our servers was down... so i join a little part of the /var/log/messages (12KB of 30MB). run on this server a 2.2r5 updated, apache, mysqld, proftpd and sshd. somebody know what arrived? thanks in advance ;) Ivan R. sysadmin
scsi crash??? (oups i forgot the /var/log/message :p)
thanks in advance again ;) Ivan R. sysadminFeb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x7 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 17:16:28 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 17:16:28 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a # # Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0 = 0x15 SSTAT1 = 0x8a Feb 19 20:08:54 myproxy1 kernel: (scsi0:-1:-1:-1) Referenced SCB 0 not valid during SELTO. Feb 19 20:08:54 myproxy1 kernel: SCSISEQ = 0x5a SEQADDR = 0x9 SSTAT0
portsentry woes
I installed portsentry lately, and I'm being constantly warned about UDP connect attempts that I can't otherwise detect, from a machine that (as far as I can tell) isn't trying to connect. I installed portsentry on the machine 'izzy' with apt-get portsentry. Default settings. The machine 205.XXX.216.233 is the gateway given to me by the co-location facility. I've been getting constant messages like the following: Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: 205.XXX.216.233/205.XXX.216.233 to UDP port: 9 Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already blocked. Ignoring It used to warn me about UDP port 69, but I edited /etc/portsentry/portsentry.conf and changed the UDP_PORTS line. Now it's warning me about port 9. Thing is, I've used tcpdump and ngrep to listen for any UDP traffic to find out what the content of port 69 (Trivial FTP) or port 9 (discard) might be... but I'm not detecting traffic destined for either port, despite this warning-storm. The warnings themselves are cluttering up my syslogs, I'll have to switch to something else. Can someone explain to me why portsentry is giving what looks like false postitives? Alternately, can someone suggest an alternative?
Re: Makejail
On Tuesday, February 19, 2002, at 09:05 AM, Davy Gigan wrote: I would also notify another evident thing : due to the fact i'm running two syslog-ng servers on my machine, the configure script killed all of them = normal. No that is normal. The scripts should be using pid files. To quote policy: The init.d scripts should ensure that they will behave sensibly if invoked with start when the service is already running, or with stop when it isn't, and that they don't kill unfortunately-named user processes. The best way to achieve this is usually to use start-stop-daemon. Unfortunately ( ;-) it's only 'should', not 'must'.
syslog messages
Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel
Re: syslog messages
Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 blah blah blah Thanks in advance ! Marcel Something along the lines of an old statd exploit. I believe this DSA[1] is the one that covers it, and also this CERT Advisory [2]. I would personally believe that the attack was unsuccessful, since it did write it to the log (rather than crash and give the attacker a shell), but the CERT advisory leads me to think otherwise. Check your version of nfs, 0.1.9.1-1 or better should be fixed. [1] http://www.debian.org/security/2000/2719a [2] http://www.cert.org/advisories/CA-2000-17.html Hope I have helped. - Will Wesley, CCNA Furious activity is no substitute for understanding. -- H.H. Williams
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? Marcel Steve Mickeler wrote: Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random ..-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Re: syslog messages
-BEGIN PGP SIGNED MESSAGE- On Thu, 21 Feb 2002, Marcel Welschbillig wrote: I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? You should only allow necessary connections in your firewalling setup and deny everything else. Alex - -- Life is what happens to you while you're busy making other plans. John Lennon -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBPHRyQWWTYnZjEXP1AQHahgP7B7l3t1MGLW/o4NgUBKw7iBeS4hDeGujq 2ZnHPdahemSikFC4uZfqOv9CQGd/1aEzF+8X1GrTeAywUXmZej31WoBq6uAeGp/Y /ogBZLasznDoc1/i4lo5PQpx1tZDVwssJzJ2DNFzQO8JhfmfHqIFliN5B4+QDzhk 2IGNMdjFIKQ= =SNHP -END PGP SIGNATURE-