LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 03-12-2002, 10:16 PM   #1
gabadoo
LQ Newbie
 
Registered: Jan 2002
Posts: 8

Rep: Reputation: 0
Server Unexpectedly died (was i hacked?)


Hello, my webserver died the other nite and now it wont reboot. I used the redhat 7.2 rescue option to mount sysimage. I was able to get a prompt and reviewed the logs and heres what i encountered.

Mar 11 17:46:07 webe kernel: hostname uses obsolete (pf_inet,sock_packet)
Mar 11 17:46:07 webe kernel: device entered promiscuous mode
Mar 11 17:46:07 modprobe: Cant locate module ppp0
Mar 11 17:50:30 webe kdm[28148]: Server unexpectedly died
Mar 11 17:55:22 webe ftpd[28272]: FTP session closed
Mar 11 17:55:22 webe telnetd[28273]: ttloop: peer died: EOF
Mar 11 17:55:23 webe xinetd[28276]: warning cant get client adddress: transport endpoint is not connected

Mar 11 22:11:00 webe modprobe: modprobe: cant locate module binfmt-464c
Mar 11 22:11:01 webe last message repeated 5 times
Mar 11 22:11:01 webe syslogd 1.4.1:restart
Mar 11 22:11:01 webe modprobe: modprobe: cant locate module binfmt-464c
Mar 11 22:28:06 webe last message repeated 20 times

repeats until this:

mar 12 02:43:18 webe kernel: VFS: file-max limit 8192 reached
mar 12 04:02:00 webe syslogd 1.4.1:restart

Well im assuming this is pertinent info into why my machine wont reboot. Was i hacked or something, or did something just go wrong. Im a newb and im amazed i got this far in trouble shooting what went wrong. Anyhelp would be greatly appreciated cause i have no idea what to do now. Ty

Gabriel
 
Old 03-12-2002, 11:31 PM   #2
gabadoo
LQ Newbie
 
Registered: Jan 2002
Posts: 8

Original Poster
Rep: Reputation: 0
errors on bootup

Here are the errors i get when i bootup in failsafe:

init: entering runlevel:5
updating /etc/fstab execvp No such file or directory [FAILED]

checking for new hadware/etc/rc5.d/so5kudzu: /usr/sbin/kudzu: no such file or directory [FAILED]


couch: creating `var/lock/subsys/kudzu` : no such file or directory

Setting network parameters [OK]



bringing up interface lo_


and it just hangs from here???

any ideas? ty for any replies

GAbriel
 
Old 03-13-2002, 01:33 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
pf_inet,sock_packet: IMO your libpcap is old. upgrade.
promiscuous mode: either your network device has been brought up with the promiscuous flag, meaning it would listen to all traffic passing by, or an app has been started that usually is a sniffer of some kind (to grab passwords etc)
module ppp0: if you havent got it enter "alias ppp0 off" in /etc/conf.modules
kdm: dunno
ftpd: this doesn't show anything. get the ftpd's log.
telnetd: you should be punished for running a telnet daemon on a networked box. oops. you already have been...
ttloop: peer died: this could hold a clue. maybe a line close by holds an IP address?
transport endpoint: might be older xinetd package IPv6 bug, if yes, upgrade, if no, I dunno.
module binfmt-464c: this is your basic ELF format binary module. could be corrupt binary requesting modprobe to load module (which is usually built into kernel)
/etc/fstab: if fstab is not there its corrupted, and that's bad.
/usr/sbin/kudzu: if this is installed and not there thats weird.
var/lock/subsys/kudzu: same here.

keep the box off the net.
If you use snort/scandetd/portsentry/else, parse its logs upto the crash for clues.
If you use Aide or Tripwire, use it to check file integrity. If you don't use em try issuing "rpm -Va 2>&1 > rpm-installed.log" which would check all rpm's for changed/missing parts against it's own database. Check the results against the attributes mentioned here. If you suspect your rpm database is fu'ed, and you didn't install a file integrity checker like Aide, Tripwire or alike, try downloading chkrootkit (from chkrootkit.org) to be able to check for known signs of rootkits.

If this doesn't work/show up anomalies and fsck'ing the partitions doesn't either, reinstall the packages and focus on securing your box before brining it online again.

HTH somehow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PPPd daemon died unexpectedly muia mark Linux - Newbie 2 01-28-2005 06:33 PM
ppp died unexpectedly <Rockman> Linux - Networking 2 01-07-2003 09:05 PM
PPP daemon died unexpectedly mandrake_linux Linux - Networking 2 04-21-2001 05:36 PM
PPP Daemon died unexpectedly mandrake_linux Linux - Newbie 0 04-07-2001 11:28 AM
PPP Daemon died unexpectedly mandrake_linux Linux - Networking 1 04-04-2001 07:30 AM


All times are GMT -5. The time now is 06:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration