LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   nmap makes syslog run amok (http://www.linuxquestions.org/questions/slackware-14/nmap-makes-syslog-run-amok-472467/)

rigelan 08-09-2006 07:59 PM

nmap makes syslog run amok
 
I really have no information about this problem. It also only happened once, and I am hesitant to try it again.

I have my slack machine on a local network with a windows xp machine.

Using nmap 4.10, I attempted to probe the windows machine on the windows machine. Then suddenly an inetd daemon appeared on my process list, it wrapped the process id's rather quickly. It would have 5300, then in a second perhaps 6700, then on and on until it wrapped at around 64000.

Meanwhile my syslog was growing at a huge rate. It grew about at a 1 megabyte per second. To stop it I went down to init 1. But I also deleted it because I didn't want it causing too many problems.

What is the usual cause behind a growing syslog like that?

Does it seem like a nmap problem or something different?

gilead 08-10-2006 01:22 PM

I'm just guessing since I haven't seen your syslog files, but if your firewall rules do a lot of blocking and a lot of logging, then that could be it. The setup on one of my boxes is default DROP for INPUT, FORWARD and OUTPUT - I see a lot of entries in the log if I run tools like nmap on it, but not as much as 1MB/sec.

Can you try it again and post some of the log here?

rigelan 08-11-2006 08:00 AM

I'll have some free time tonight, and see if I can get the nmap to ramp itself up again. This is actually the second time it happened, but not with the nmap program, I was experimenting with AVG antivirus software for linux, and it did it (brought up a second inetd daemon). So I'll see if I can rouse up some log files, and make this request a bit more specific.

rigelan 08-19-2006 12:25 AM

I found the error. I guess there were copies in my syslog that I didn't delete. It cause my syslog to write this error about a million times (Maybe less)

Code:

localhost inetd[4577]: /usr/sbin/in.identd: exit status 0x1
localhost inetd[6455]: execv /usr/sbin/in.identd: No such file or directory

It repeated these two lines for ports 6455 - 32767, incrementing by one each.

I believe the 4577 was my out-port and the others were the in-port on the other computer I was testing.

It basically added 4 megabytes to my syslog in a few seconds because it cannot find a file?

rigelan 08-19-2006 12:34 AM

I found out that file is in the pidentd package from slackware. So i'll install it and see if I can get the nmap to ramp up the syslog again.


All times are GMT -5. The time now is 03:41 PM.