LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-28-2005, 09:21 PM   #1
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Rep: Reputation: 30
Getting lots of strange messages during reboot and in my syslog?


Here is some of the stuff I have been getting when I reboot, It has increased in size in the last week or so, Does anyone know what this is because I have no idea and feel insecure about this. The kernel bug thing I see all the time though. Thanks for any help.

Jul 28 18:55:38 rick kdm_greet[4272]: Can't open default user face
Jul 28 18:55:42 rick dhcpcd[4045]: timed out waiting for a valid DHCP server response
Jul 28 18:55:59 rick kernel: ------------[ cut here ]------------
Jul 28 18:55:59 rick kdm[4230]: X server for display :0 terminated unexpectedly
Jul 28 18:55:59 rick kernel: kernel BUG at mm/rmap.c:483!
Jul 28 18:55:59 rick kernel: invalid operand: 0000 [#1]
Jul 28 18:55:59 rick kernel: Modules linked in: ipv6 snd_pcm_oss snd_mixer_oss intel_mch_agp intel_agp ehci_hcd usbcore snd_intel8x0 snd_ac97_codec snd_pcm snd_timer snd soundcore snd_page_alloc nvidia evdev ide_scsi 8139too mii agpgart plip parport apm
Jul 28 18:55:59 rick kernel: CPU: 0
Jul 28 18:55:59 rick kernel: EIP: 0060:[<c013e0c8>] Tainted: P VLI
Jul 28 18:55:59 rick kernel: EFLAGS: 00013286 (2.6.10)
Jul 28 18:55:59 rick kernel: EIP is at page_remove_rmap+0x28/0x40
Jul 28 18:55:59 rick kernel: eax: ffffffff ebx: 00151000 ecx: c127af60 edx: c127af60
Jul 28 18:55:59 rick kernel: esi: d8277664 edi: c127af60 ebp: 00350000 esp: d95d5d9c
Jul 28 18:55:59 rick kernel: ds: 007b es: 007b ss: 0068
Jul 28 18:55:59 rick kernel: Process X (pid: 4248, threadinfo=d95d4000 task=df0bf580)
Jul 28 18:55:59 rick kernel: Stack: c0137ea9 c127af60 00000001 00000065 c14db500 13d7b067 08848000 dea4d088
Jul 28 18:55:59 rick kernel: 08798000 00000000 c0138023 c044d650 dea4d084 08448000 00350000 00000000
Jul 28 18:55:59 rick kernel: c044d650 08448000 dea4d088 08798000 00000000 c0138093 c044d650 dea4d084
Jul 28 18:55:59 rick kernel: Call Trace:
Jul 28 18:55:59 rick kernel: [<c0137ea9>] zap_pte_range+0x139/0x250
Jul 28 18:55:59 rick kernel: [<c0138023>] zap_pmd_range+0x63/0x80
Jul 28 18:55:59 rick kernel: [<c0138093>] unmap_page_range+0x53/0x80
Jul 28 18:55:59 rick kernel: [<c01381c6>] unmap_vmas+0x106/0x1c0
Jul 28 18:55:59 rick kernel: [<c013c482>] exit_mmap+0x72/0x140
Jul 28 18:55:59 rick kernel: [<c010f41f>] mmput+0x2f/0x80
Jul 28 18:55:59 rick kernel: [<c011326f>] do_exit+0x13f/0x390
Jul 28 18:55:59 rick kernel: [<c0113533>] do_group_exit+0x33/0x70
Jul 28 18:55:59 rick kernel: [<c011bb49>] get_signal_to_deliver+0x1e9/0x2d0
Jul 28 18:55:59 rick kernel: [<c01022db>] do_signal+0x9b/0x130
Jul 28 18:55:59 rick kernel: [<c011adf8>] kill_proc_info+0x38/0x40
Jul 28 18:55:59 rick kernel: [<c0153645>] path_release+0x15/0x50
Jul 28 18:55:59 rick kernel: [<c0153645>] path_release+0x15/0x50
Jul 28 18:55:59 rick kernel: [<c0146449>] sys_chown+0x59/0x60
Jul 28 18:55:59 rick kernel: [<c011bca8>] sigprocmask+0x48/0xc0
Jul 28 18:55:59 rick kernel: [<c011bda6>] sys_rt_sigprocmask+0x86/0xf0
Jul 28 18:55:59 rick kernel: [<c01023a7>] do_notify_resume+0x37/0x3c
Jul 28 18:55:59 rick kernel: [<c01024ee>] work_notifysig+0x13/0x15
Jul 28 18:55:59 rick kernel: Code: 74 26 00 8b 54 24 04 8b 02 f6 c4 08 75 27 83 42 08 ff 0f 98 c0 84 c0 74 11 8b 42 08 40 78 0c 9c 58 fa ff 0d d0 56 45 c0 50 9d c3 <0f> 0b e3 01 f8 2b 35 c0 eb ea 0f 0b e0 01 f8 2b 35 c0 eb cf 8d
Jul 28 18:55:59 rick kernel: <7>eth0: no IPv6 routers present
Jul 28 18:56:01 rick kdm: :0[4454]: Can't execute "/opt/kde/share/config/kdm/Xsetup": No such file ordirectory
Jul 28 18:56:01 rick kdm_greet[4452]: Can't open default user face
Jul 28 18:56:08 rick dhcpcd[4334]: timed out waiting for a valid DHCP server response
Jul 28 18:56:28 rick dhcpcd[4557]: timed out waiting for a valid DHCP server response
Jul 28 18:56:48 rick kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jul 28 18:56:48 rick kernel: ip_conntrack version 2.1 (4093 buckets, 32744 max) - 300 bytes per conntrack
Jul 28 18:57:21 rick kernel: DROPPED IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=32 ID=53477 DF PROTO=UDP SPT=67 DPT=68 LEN=556
Jul 28 18:57:21 rick dhcpcd[4965]: DHCP_NAK server response received
Jul 28 18:57:22 rick kernel: DROPPED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=ICMP TYPE=8 CODE=0 ID=29774 SEQ=0
Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1077 SEQ=2668782600 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1078 SEQ=2667430539 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

__________________
 
Old 07-29-2005, 02:31 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Which portion are you unsure of? The kernel oops output or the iptables log messages?
 
Old 07-29-2005, 09:30 PM   #3
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Capt_Caveman
Which portion are you unsure of? The kernel oops output or the iptables log messages?
This:

Jul 28 18:57:21 rick kernel: DROPPED IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=32 ID=53477 DF PROTO=UDP SPT=67 DPT=68 LEN=556
Jul 28 18:57:21 rick dhcpcd[4965]: DHCP_NAK server response received
Jul 28 18:57:22 rick kernel: DROPPED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=ICMP TYPE=8 CODE=0 ID=29774 SEQ=0
Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1077 SEQ=2668782600 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1078 SEQ=2667430539 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

And this:

Jul 28 18:55:59 rick kernel: 08798000 00000000 c0138023 c044d650 dea4d084 08448000 00350000 00000000
Jul 28 18:55:59 rick kernel: c044d650 08448000 dea4d088 08798000 00000000 c0138093 c044d650 dea4d084
 
Old 07-29-2005, 10:46 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ok it looks like you have 3 things going on in the log: A)messages from a kernel error (oops/bug) including all of the info for debugging like the process name, values in each of the stack pointers, and a stack dump. B)DHCP/BOOTP messages, and C)several packets dropped and logged by iptables.

A)Jul 28 18:55:59 rick kernel: 08798000 00000000 c0138023 c044d650 dea4d084 08448000 00350000 00000000
Jul 28 18:55:59 rick kernel: c044d650 08448000 dea4d088 08798000 00000000 c0138093 c044d650 dea4d084

I believe that's just the stack dump associated with the kernel oops (bug) message.

B)
Jul 28 18:57:21 rick dhcpcd[4965]: DHCP_NAK server response received
DHCP_NAK is a negative aknowledgement message that's issued by a DHCP/BOOTP server in order to restart the DHCP discovery process. So likely your system was trying to grab an IP address from your DHCP server, but the lease had expired and the DHCP server asked it to renegotiate a new lease.

C)The final portion of your log msgs are a number of packets logged by iptables. You'll need to determine what each system is according to the IP addesses and MAC addresses in each message.
Jul 28 18:57:22 rick kernel: DROPPED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=192.168.2.2 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=2 PROTO=ICMP TYPE=8 CODE=0 ID=29774 SEQ=0
This is a ICMP-Reply packet sent from 192.168.2.1 to 192.168.2.2 that was logged and dropped for some reason. I'm guessing that it's your router. so you might want to consider fine-tuning your firewall rules to allow it.

Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1077 SEQ=2668782600 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
Jul 28 18:59:34 rick kernel: ABORTED IN=eth0 OUT= MAC=00:50:bf:93:af:6d:00:04:e2:18:27:7e:08:00 SRC=69.88.145.11 DST=192.168.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=1078 SEQ=2667430539 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

I'm not sure what firewall you're using, so it's hard to tell what the "ABORTED" log message is supposed to mean, but I'm guessing if you're using guarddog or something related, that it means an aborted connection attempt. These are usually associated with a "half-open" port scan probes, but can also be false positives due to a webserver trying to quickly tear down a tcp connection. The source port is 80, so that suggests you were connected to the webserver at that IP.

--EDIT--

Forgot one:

Jul 28 18:57:21 rick kernel: DROPPED IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:e2:18:27:7e:08:00 SRC=192.168.2.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=32 ID=53477 DF PROTO=UDP SPT=67 DPT=68 LEN=556
This is a broadcast packet sent to all hosts on your LAN from 192.168.2.1 (your router?) that was logged and dropped for some reason. It's a BOOTP message which is used for acquiring IP addresses. Again you may want to fine tune your rules so that you aren't dropping these.

Last edited by Capt_Caveman; 07-29-2005 at 10:53 PM.
 
Old 07-30-2005, 04:13 PM   #5
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Original Poster
Rep: Reputation: 30
Yea, I am using guarddog and only have what is absolutely necessary to get online checked, and yea that is my router that is referred to several times.
So basically its nothing to be worried about? It just is some scattered info about dropped packets and such? Thanks.
 
Old 07-30-2005, 05:28 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Doesn't look like anything malicious. You may want to turn off the "Log Aborted Connections" feature in guarddog and open port 68/ICMP to the router in order to avoid excessive logging. You may also want to track down the origin of the kernel bug.
 
Old 07-30-2005, 10:33 PM   #7
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Original Poster
Rep: Reputation: 30
Thanks, I turned off log aborted connections but dont know how to do the other suggestions but if its nothing malicious and its just logging extra stuff then I guess its not a big deal. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Syslog messages... stevemad Slackware 4 10-15-2005 04:45 PM
strange messages on shut down or reboot dr0n3 Fedora 0 09-26-2005 01:32 AM
Lots of Martians in my Syslog spikeygg Linux - Security 1 12-10-2004 05:54 PM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 04:35 AM
Help me with these strange error messages in my syslog, please. yuzuohong Linux - General 4 04-23-2003 04:44 AM


All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration