Any way to track down the bad hardware?
Jason
Nathan Conrad wrote:
I was mention of a remote DoS attack for the Linux kernel last night. This probably did not effect you, but if you've seriously upgraded your Woody machine, it could have effected.
What I read says it requires a 2.6 kernel, that it is running IPTables, and you have a rule that will be executed for a packet that contains the --tcp-option. (Fairly unlikely, as I mentioned.) The result is a particular set of packets will make the kernel hang. I wonder if hanging kernel thread could be preempted... hmm.
Anyway, details are at http://www.securityfocus.com/archive/1/367615
From my experience, hangs like this are usually due to bad hardware. I don't know why anyone putting a rootkit on your computer would want to crash it, unless it was written for a different kernel and caused your kernel to crash?
-Nathan
On Fri, Jul 02, 2004 at 09:34:48AM -0400, Jason Purdy wrote:
When I came into work today, our (Debian Woody) mail server wasn't responding (my previous SSH connection was 'hung' and IMAP/POP connections wouldn't work and pings were not responsive, either) and I went to the console and plugged in a monitor and it was a black screen (hitting the space bar or enter key didn't do anything).
So I had to hit the server's reset key (ugh) ... about 15 minutes later after the auto fsck, everything looks ok.
This is a publicly available server, so my main concern is that someone has r00ted me. I have been keeping up to date on security patches that Debian puts out.
I waded through logs (nothing suspicious, though there were several attempts to do one of those "/SEARCH [long uri]" in its apache access.log -- it was one of the last entries). In /var/log/messages, I get a MARK every 20 minutes ... there's a big gap between the last mark at 3:56am and when I restarted the server at 8:46. In the mail.log file, the gap starts at 4:08, so that's when I think something happened (I have a co-worker that POP's his mail every minute ;)).
I also ran a 'chkrootkit', but that didn't turn anything up.
I did a netstat -atu and there are a couple of entries there that I don't know about:
tcp 0 0 *:32768 *:* LISTEN
udp 0 0 *:821 *:*
udp 0 0 *:1111 *:*
Is there any way to see what process is tied to those ports?
Can anyone point me in a direction to figure out what happened? Random hardware glitch or something else?
Thanks,
Jason -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
