l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:12

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] /var/log/messages question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] /var/log/messages question



You running that older copy of PROFTP with the remote exploit? What
version of kernel are you running? What NIC? What version of Apache? What
modules is Apache using (only the standard one, or "extra" modules too?),
you running inetd? You still running telnet? you still running ftp? (which
one?) Have you looked through your served FTP directories for hidden files
and/or files with unprintable characters? Are there some? Any cool stuff
in them? Are you logging to an external server that runs no other services
except a logger? What did it say just before "the end" ? What ports are
open according to netstat, when a portscan of your own box from a
"trusted" client scans your ports, do they match, or are "extra
ports" listed? (A port shoing up in netstat, but not in a portscan is not
as bad as a port showing up in a portscan, but not in netstat. ]:> )

How long has is been up? Is this something new? Ever happened
before? Anything change since the times that it did not happen,and
now? (drivers/hardware) added? Ever had issues with autosensing
10/100Mbps, or media type with the NIC?

I would look at your fdtp dirs, see what is in them (special files,
wierd names, unprintable characters in filenames, hidden directories, etc
just in case.)

Also, look over /var/log/daemon and the other logs. Odd kernel
messages? Off debug messages from other services?

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
     Systems Department Operating Systems Analyst for the SSU Library

On Sat, 6 Oct 2001, William Kendrick wrote:
> My colo box stopped responding this morning.  Thankfully, my ISP (Sonic.net)
> got an automated page, went into the server room, and called me asking if
> they should hit the reboot button, to which I said "can't ping it? sure,
> reboot!"
> 
> Anyway, I looked over the Apache logs to see if there was anything
> particularly interesting, which there wasn't.  Just a gap in time
> between when the server stopped responding and when it finished rebooting.
> 
> Looking at /var/log/messages, though, at about the time of the 'crash'
> (or whatever it was that happened), I'm seeing these, which are unfamiliar
> to me (not that I know much about /var/log/messages  to begin with :) )
> 
> Oct  6 08:26:02 plink kernel:   Rx ring a020f028:  80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000
> Oct  6 08:26:02 plink kernel:   Tx ring a020f128:  7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00
> Oct  6 08:26:05 plink kernel:   Rx ring a020f028:  80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000
> Oct  6 08:26:05 plink kernel:   Tx ring a020f128:  7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00
> Oct  6 08:26:07 plink kernel:   Rx ring a020f028:  80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000 80000000
> Oct  6 08:26:07 plink kernel:   Tx ring a020f128:  7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00 7fffbc00
> 
> 
> Any idea what these are about?
> 
> 
> They continue until 8:54, then I only see a few of these every 15 minutes:
> 
>   Oct  6 10:00:05 plink telnetd[25738]: ttloop:  read: Broken pipe 
> 
> (I see a lot of them earlier up in /var/log/messages, and they, too, are
> about 15mins apart from each other.  But, I guess that's a completely
> different question I'll need to ask :) )
> 
> Anyway, then at 10:32, the machine got reboot.
> 
> 
> (Note: Looks like the box's clock is ahead of itself by 1/2 hr.  D'oh!)
> 
> 
> 
> -bill!
> (who is seeing a corollation between those 15-min-apart telnetd messages in
> /var/log/messages, and a bunch of telnetd and proftpd connection refusals
> in /var/log/secure ... interesting)
> 



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.