Re: [vox-tech] Router acting funny

[Bill Broadley <bill@MAPSmath.ucdavis.edu>]

Looks liks logrotate has freaked out, might want to make sure
your running a recent version, I've seen some bugs mentioned/patched.

Top would be more useful then ps as far as whats keeping the
machine busy now.

Looks like logrotate is freaked, 10+ hours of cpu time is WAY to much.

BTW if your machine is really hacked you can't trust ps, syslog, login,
ls, top, etc.

I'd kill logrotate to start, check it's logs, check for new version, check
your config file etc.


On Tue, Jan 02, 2001 at 06:36:27PM -0800, Mark Kim wrote:
> Happy new year, everyone.  I just got back to Davis and noticed the
> harddrive running continuously on the router.  It's so busy I can
> barely log in.
> 
> Checking the log, I see:
> 
> Jan  2 18:03:08 sorrento : Security warning : eth0 is in promiscuous mode.
> Jan  2 18:03:09 sorrento :     A sniffer is probably running on your system.
> Jan  2 18:03:12 sorrento : Security warning : eth1 is in promiscuous mode.
> Jan  2 18:03:14 sorrento :     A sniffer is probably running on your system.
> 
> I did run nmap last quarter on the system so maybe that's what caused it.
> I also see (notice the time interval):
> 
> ...
> Jan  1 07:13:05 sorrento syslogd 1.3-3: restart.
> Jan  1 07:17:08 sorrento syslogd 1.3-3: restart.
> Jan  1 07:21:04 sorrento syslogd 1.3-3: restart.
> Jan  1 07:26:54 sorrento syslogd 1.3-3: restart.
> Jan  1 07:31:52 sorrento syslogd 1.3-3: restart.
> Jan  1 07:36:36 sorrento syslogd 1.3-3: restart.
> Jan  1 07:40:44 sorrento syslogd 1.3-3: restart.
> Jan  1 07:43:59 sorrento syslogd 1.3-3: restart.
> ...
> 
> (The same happens on December 31th and 24th).  Also portsentry
> attempted to block out the following servers (which it couldn't because of
> the way I setup my tcp wrapper):
> 
> ALL: 63.197.184.28
> ALL: 211.39.97.178
> ALL: 211.44.132.16
> ALL: 216.250.78.210
> ALL: 61.139.83.154
> ALL: 211.47.221.2
> ALL: 211.44.188.66
> 
> Here's my `ps aefxwww` output (trimmed to 80 columns):
> 
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:10 init [3] HOME=/ TERM=linux BOOT_IMAGE=linux-fb
>     2 ?        SW     0:54 [kflushd]
>     3 ?        SW     0:29 [kupdate]
>     4 ?        SW     0:00 [kpiod]
>     5 ?        SW    60:53 [kswapd]
>     6 ?        SW<    0:00 [mdrecoveryd]
>   336 ?        S     21:28 syslogd -m 0 PWD=/ HOSTNAME=sorrento.localnet.enet CO
>   357 ?        S      0:10 crond PWD=/ HOSTNAME=sorrento.localnet.enet CONSOLE=/
>  4479 ?        SW     0:00  \_ [crond]
>  4481 ?        SW     0:00  |   \_ [run-parts]
>  4499 ?        SW     0:00  |   |   \_ [logrotate]
>  4500 ?        D    733:51  |   |       \_ /usr/sbin/logrotate /etc/logrotate.co
>  4501 ?        SW     0:00  |   \_ [sendmail]
> 22404 ?        SW     0:00  \_ [crond]
> 22407 ?        SW     0:00  |   \_ [security.sh]
> 22424 ?        DN    21:55  |       \_ /usr/bin/msec_find / /home /usr/local PWD
> 22447 ?        SW     0:00  \_ [crond]
> 22449 ?        SW     0:00  |   \_ [run-parts]
> 22467 ?        SW     0:00  |   |   \_ [logrotate]
> 22468 ?        D     92:44  |   |       \_ /usr/sbin/logrotate /etc/logrotate.co
> 22469 ?        SW     0:00  |   \_ [sendmail]
>  9610 ?        SW     0:00  \_ [crond]
>  9613 ?        SW     0:00  |   \_ [security.sh]
>  9630 ?        DN    21:48  |       \_ /usr/bin/msec_find / /home /usr/local PWD
>  9652 ?        S      0:00  \_ CROND PWD=/ HOSTNAME=sorrento.localnet.enet CONSO
>  9654 ?        S      0:00  |   \_ bash /usr/bin/run-parts /etc/cron.daily PWD=/
> 31797 ?        S      0:00  |   |   \_ sh /etc/cron.daily/slocate.cron PWD=/ HOS
> 31798 ?        R      2:37  |   |       \_ /usr/bin/slocate -u -f NFS,SMBFS,NCPF
>  9674 ?        SW     0:00  |   \_ [sendmail]
> 24294 ?        SW     0:00  \_ [crond]
> 24296 ?        SW     0:00      \_ [run-parts]
> 24314 ?        SW     0:00      |   \_ [logrotate]
> 24315 ?        D     31:19      |       \_ /usr/sbin/logrotate /etc/logrotate.co
> 24316 ?        SW     0:00      \_ [sendmail]
>   383 ?        SW     0:00 [lpd]
>   440 ?        SW     0:02 [gpm]
>   454 ?        S      0:09 xfs -port -1 -daemon PWD=/ HOSTNAME=sorrento.localnet
>   502 ?        S      0:03 /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.localnet
> 31381 ?        S      0:12  \_ /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.loca
> 31824 pts/0    S      0:00      \_ -bash HOME=/home/vin USER=vin LOGNAME=vin PAT
> 31851 pts/0    S      0:00          \_ su PWD=/home/vin XAUTHORITY=/home/vin/.Xa
> 31852 pts/0    S      0:00              \_ bash PWD=/home/vin XAUTHORITY=/home/v
> 32003 pts/0    R      0:00                  \_ ps aefxwww PWD=/var/log XAUTHORIT
>   652 ?        S      0:16 /usr/local/pkg/psionic/portsentry/portsentry -atcp PW
>   655 ?        S      0:00 /usr/local/pkg/psionic/portsentry/portsentry -audp PW  
>657 tty1     S     44:13 perl -w /usr/local/sbin/voicebox tty1 HOME=/ TERM=lin
>   660 tty4     SW     0:00 [mingetty]
>  4163 ?        SW     0:00 [inetd]
> 30771 ?        S      0:00 /sbin/vgetty ttyS0 HOME=/ TERM=linux BOOT_IMAGE=linux
> 31392 tty2     S      0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linu
> 31823 tty3     S      0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linu
> 
> Can anyone see what's going on?  Thanks!
> 
> ---
> Mark K. Kim
> http://www.cbreak.org/mark/
> PGP key available upon request.