bad day (more details)

To: TCLUG <tclug-list@mn-linux.org>
Subject: bad day (more details)
From: Timothy Wilson <wilson@visi.com>
Date: Mon, 24 Jan 2000 13:50:10 -0600 (CST)

Hi everyone,

I've scanned the logs and wonder if some of you would be able to annotate
these results. I'm not really sure what all of this means, but I've
written down what appear to be the highlights/lowlights.

The problems seem to have started in the wee hours on Sat. morning when
the log says that the system couldn't locate module lo or eth0. A few
minutes later I see (thales is the hostname):

thales named[523]: reloading nameserver
thales named[523]: Forwarding source address is [0.0.0.0]1836
thales named[523]: Ready to answer queries

The same entried appeared approx. 7 min. later.

Then it looks like the system started having problems with handing out
DHCP addresses. On Sun. syslogd restarted several times. At about 4 p.m.
Sun I see:

thales kernel: lookup_by_indoe: ino 63554 not found in GNUstep
thales kenrel: find_fh_dentry: 08:0b, 274438/63554 not found -- need 
 full search

Then it seems that /proc started having problems with messages like:

thales kernel: proc_file_unlink: deleting ide/drivers
thales kernel: remove_proc_entry: ide/drivers busy, count=1
thales kernel: de_put: deferred delete of drivers

Then I got versions of the same message for all kinds of /proc entries in
nfs, fs, eth0, lo, default, all, ipv4, core, vm, kernel, and net. One that
caught my eye:

thales kernel: proc_file_unlink: deleting all/log_martians
thales remove_proc_entry: all/log_martians busy, count=1

What's a log_martian? After that, the system was pretty much dead. I'd
love to hear any comments from anyone.

If it does turn out that my system was cracked, it will be further data to
support the notion that system security is a full-time job. I inevitably
get caught with insufficient time to maintain this system adequately.

-Tim

--
Tim Wilson        | Visit Sibley online:         | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN   |                              | http://slashdot.org/
wilson@visi.com   |   <dtml-var pithy_quote>     | http://linux.com/

Follow-Ups:
- Re: [TCLUG:12807] bad day (more details)
  - From: Chris McKinley <lamfada@lugh.net>
- Re: [TCLUG:12807] bad day (more details)
  - From: Adam Maloney <adam@iexposure.com>

Prev by Date: Re: [TCLUG:12799] help me find a MUA
Next by Date: Re: [TCLUG:12799] help me find a MUA
Prev by thread: Re: [TCLUG:12802] Security on /dev
Next by thread: Re: [TCLUG:12807] bad day (more details)
Index(es):
- Date
- Thread