Re: [TCLUG:12807] bad day (more details)

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:12807] bad day (more details)
From: Adam Maloney <adam@iexposure.com>
Date: Mon, 24 Jan 2000 13:52:58 -0600
References: <Pine.GSO.4.10.10001241340280.29959-100000@isis.visi.com>
Sender: adam@bilbo.intexp.com

The entry about log martians is particularly interesting.  Sounds like
you have something logging bogon (martian) packets - wierd packets that
are used in DoS attacks.  Maybe someone was trying to delete the logs to
cover their tracks?

Timothy Wilson wrote:
> 
> Hi everyone,
> 
> I've scanned the logs and wonder if some of you would be able to annotate
> these results. I'm not really sure what all of this means, but I've
> written down what appear to be the highlights/lowlights.
> 
> The problems seem to have started in the wee hours on Sat. morning when
> the log says that the system couldn't locate module lo or eth0. A few
> minutes later I see (thales is the hostname):
> 
> thales named[523]: reloading nameserver
> thales named[523]: Forwarding source address is [0.0.0.0]1836
> thales named[523]: Ready to answer queries
> 
> The same entried appeared approx. 7 min. later.
> 
> Then it looks like the system started having problems with handing out
> DHCP addresses. On Sun. syslogd restarted several times. At about 4 p.m.
> Sun I see:
> 
> thales kernel: lookup_by_indoe: ino 63554 not found in GNUstep
> thales kenrel: find_fh_dentry: 08:0b, 274438/63554 not found -- need
>  full search
> 
> Then it seems that /proc started having problems with messages like:
> 
> thales kernel: proc_file_unlink: deleting ide/drivers
> thales kernel: remove_proc_entry: ide/drivers busy, count=1
> thales kernel: de_put: deferred delete of drivers
> 
> Then I got versions of the same message for all kinds of /proc entries in
> nfs, fs, eth0, lo, default, all, ipv4, core, vm, kernel, and net. One that
> caught my eye:
> 
> thales kernel: proc_file_unlink: deleting all/log_martians
> thales remove_proc_entry: all/log_martians busy, count=1
> 
> What's a log_martian? After that, the system was pretty much dead. I'd
> love to hear any comments from anyone.
> 
> If it does turn out that my system was cracked, it will be further data to
> support the notion that system security is a full-time job. I inevitably
> get caught with insufficient time to maintain this system adequately.
> 
> -Tim
> 
> --
> Tim Wilson        | Visit Sibley online:         | Check out:
> Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
> W. St. Paul, MN   |                              | http://slashdot.org/
> wilson@visi.com   |   <dtml-var pithy_quote>     | http://linux.com/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org

-- 
Adam Maloney
Systems Administrator
Internet Exposure, Inc.

References:
- bad day (more details)
  - From: Timothy Wilson <wilson@visi.com>

Prev by Date: Re: [TCLUG:12799] help me find a MUA
Next by Date: Re: [TCLUG:12799] help me find a MUA
Prev by thread: bad day (more details)
Next by thread: Re: [TCLUG:12807] bad day (more details)
Index(es):
- Date
- Thread