I was mention of a remote DoS attack for the Linux kernel last night. This probably did not effect you, but if you've seriously upgraded your Woody machine, it could have effected.
What I read says it requires a 2.6 kernel, that it is running IPTables, and you have a rule that will be executed for a packet that contains the --tcp-option. (Fairly unlikely, as I mentioned.) The result is a particular set of packets will make the kernel hang. I wonder if hanging kernel thread could be preempted... hmm. Anyway, details are at http://www.securityfocus.com/archive/1/367615 From my experience, hangs like this are usually due to bad hardware. I don't know why anyone putting a rootkit on your computer would want to crash it, unless it was written for a different kernel and caused your kernel to crash? -Nathan On Fri, Jul 02, 2004 at 09:34:48AM -0400, Jason Purdy wrote: > When I came into work today, our (Debian Woody) mail server wasn't > responding (my previous SSH connection was 'hung' and IMAP/POP > connections wouldn't work and pings were not responsive, either) and I > went to the console and plugged in a monitor and it was a black screen > (hitting the space bar or enter key didn't do anything). > > So I had to hit the server's reset key (ugh) ... about 15 minutes later > after the auto fsck, everything looks ok. > > This is a publicly available server, so my main concern is that someone > has r00ted me. I have been keeping up to date on security patches that > Debian puts out. > > I waded through logs (nothing suspicious, though there were several > attempts to do one of those "/SEARCH [long uri]" in its apache > access.log -- it was one of the last entries). In /var/log/messages, I > get a MARK every 20 minutes ... there's a big gap between the last mark > at 3:56am and when I restarted the server at 8:46. In the mail.log > file, the gap starts at 4:08, so that's when I think something happened > (I have a co-worker that POP's his mail every minute ;)). > > I also ran a 'chkrootkit', but that didn't turn anything up. > > I did a netstat -atu and there are a couple of entries there that I > don't know about: > tcp 0 0 *:32768 *:* LISTEN > udp 0 0 *:821 *:* > udp 0 0 *:1111 *:* > > Is there any way to see what process is tied to those ports? > > Can anyone point me in a direction to figure out what happened? Random > hardware glitch or something else? > > Thanks, > > Jason > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc -- Nathan J. Conrad Chapel Hill, NC, USA http://bungled.net GPG: F4FC 7E25 9308 ECE1 735C 0798 CE86 DA45 9170 3112
signature.asc
Description: Digital signature
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
