Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-27-2004, 09:25 AM
|
#1
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Rep:
|
Slackware 10.0 random shutdown
Hi all,
I am running the following:
Slackware 10.0.0
Kernel: 2.4.26
Apache:2.0.52
PHP: php-4.3.9
I am running also Sendmail, Myslq and sshd, which are new and pathced (1 week old)
Previously, the system was attacked, so i reformatted and reinstalled everything.
This week a strange thing happened twice. The system shutdownd itself. It is a co-location machine. I called the ISP guys and they told me the machine is off.
I examined all logs (syslog, messages,last) and found nothing suspicious, exept there are some strange records in the apache log at both shutdowns.
I am sending a sample - i mean the strange ^@ sign, where shutdown occurs. This is from the first time:
212.50.16.97 - - [24/Oct/2004:06:04:43 +0300] "GET /bex/rotate.php?siteid=44 h**p/1.1" 200 340 "h**p://forum.esh
212.50.16.97 - - [24/Oct/2004:06:04:43 +0300] "GET /bex/rotate.php?siteid=45 h**p/1.1" 200 342 "h**p://forum.esh
66.196.90.38 - - [24/Oct/2004:06:04:59 +0300] "GET /bex/presentation/BeX_files/slide0006.htm h**p/1.0" 200 9323
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@
213.222.61.3 - - [24/Oct/2004:10:24:58 +0300] "GET /affiliate/images/see.gif h**p/1.0" 200 1233 "h**p://free.hit
213.222.61.3 - - [24/Oct/2004:10:24:58 +0300] "GET /affiliate/images/space2.gif h**p/1.0" 200 58 "h**p://free.hi
And here is from the second freeze:
213.16.35.130 - - [27/Oct/2004:13:17:10 +0300] "GET /eshop3/groups/clipart17la/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101@ * Jh**p://ppp.bubko.info/login.php?PHPSESSID=5cf2dce9c2270933c3524bf1e6fd2ceb §<ôŰ ? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101e ' Jh**p://ppp.bubko.info/login.php?PHPSESSID=5cf2dce9c2270933c3524bf1e6fd2ceb <őŰ ? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <öŰ ? 2Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
213.222.60.17 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex }<÷Ű #? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101@ * h**p://ppp.bubko.info/cpanel.php }<řŰ #? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101e ' h**p://ppp.bubko.info/cpanel.php <ůŰ $? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <úŰ +? 6Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt) 80.97.148.8e C 9h**p://ppp.edemarts.com/list.php?dbpos=6§ion=3&type=1 }<űŰ 3? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101G * h**p://ppp.bubko.info/search.php }<üŰ 3? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101e ' h**p://ppp.bubko.info/search.php <ýŰ 3? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <ţŰ >? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101A * žh**p://ppp.bubko.info/search_result.php?user=&fromage=&toage=&smoke=&town=&country=&aim=%CD%E5%E0%ED%E3%E0%E6%E8%F0%E0%F9% E0&search=%CC%FA%E6&sex=%C6%E5%ED%E0&pic=on&login=%D2%FA%F0%F1%E8%21 <˙Ű >? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101e ' žh**p://ppp.bubko.info/search_result.php?user=&fromage=&toage=&smoke=&town=&country=&aim=%CD%E5%E0%ED%E3%E0%E6%E8%F0%E0%F9% E0&search=%CC%FA%E6&sex=%C6%E5%ED%E0&pic=on&login=%D2%FA%F0%F1%E8%21 < Ü >? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <Ü A? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101@ * .h**p://ppp.bubko.info/userView.php?userid=5108 <Ü A? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101e ' .h**p://ppp.bubko.info/userView.php?userid=5108 <Ü B? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <Ü Q? >Mozilla/4.0 (compatible; MSIE 5.01; Windows NT; YComp 5.0.2.6) 217.145.160.164e B h**p://free.bol.bg/popof/ s<Ü W? 3Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)
195.24.90.246A * h**p://ppp.bubko.info/ s<Ü W? 3Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)
195.24.90.246e ' h**p://ppp.bubko.info/ <Ü Z? 3Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)
195.24.90.246< >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <Ü Z? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101s >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex < Ü ]? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101@ * .h**p://ppp.bubko.info/userView.php?userid=5015 <
Ü ]? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.1019 ' .h**p://ppp.bubko.info/userView.php?userid=5015 <Ü _? 3Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
212.36.10.101 >h**p://banner.search.bg/bin/ifgen?_id=aa0&_s=0&_c=0&_n=noindex <
(There is more like this)
Any ideas appreciated
10x
|
|
|
10-27-2004, 10:52 PM
|
#2
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
i sont suppose you have snort installed ?
if so post those logs too.
|
|
|
10-28-2004, 03:59 AM
|
#3
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Original Poster
Rep:
|
10x for the suggestion,
I just installed Snort and am monitoring from now on
If it happens again - i will post logs
Greetings
|
|
|
11-01-2004, 03:34 AM
|
#4
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Original Poster
Rep:
|
I am running Snort now, but nothing unusual.
Saturday there were two shutdowns.The guys at the isp just say the machine was powered off - like after a normal
shutdown, but the database was broken and the startup log says the filesystem is reconstructed ( the filesystem
is reiserfs and i am using software raid mirroring)
There is nothing strange about snort. The most unusual record, around the shutdown time is:
[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
10/30-07:50:03.888883 66.249.66.205:65364 -> 195.34.96.130:80
TCP TTL:44 TOS:0x80 ID:31777 IpLen:20 DgmLen:347 DF
***AP*** Seq: 0x8403A5F3 Ack: 0xEBE10B3E Win: 0x84F0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 341248673 23915244
The only anomaly i see is at the apache log:
66.249.64.27 - - [30/Oct/2004:07:52:02 +0300] "GET /eshop3/index.php?url=/eshop3/phps/menu.php&get_vars=1077* HTTP/1.0" 200 2626 "-" "Googlebot/2.1 (+h**p://ppp.google.com/bot.html)"
66.249.64.6 - - [30/Oct/2004:07:51:56 +0300] "GET /eshop3/phps/searchmachine.php?searchtext=CABLE-406 HTTP/1.0" 200 24091 "-" "Googlebot/2.1 (+h**p://ppp.google.com/bot.html)"
66.196.91.130 - - [30/Oct/2004:07:52:01 +0300] "GET /eshop3/phps/home.php HTTP/1.0" 200 12417 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; h**p://help.yahoo.com/help/us/ysearch/slurp)"
66.249.64.52 - - [30/Oct/2004:07:52:05 +0300] "GET /sitemap/addord_1785054.html HTTP/1.0" 302 317 "-" "Googlebot/2.1 (+h**p://ppp.google.com/bot.html)"
194.12.255.166Ť ' [h**p://ppp.bubko.info/objaviView.php?msgpid=1410&PHPSESSID=51ed14ca9d78db1f6b46962548c6f1eb Ś<sÚJ @Ą@ CMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.21 [bg]
82.137.126.99@ * 9h**p://ppp.zapoznanstva.dir.bg/objaviView.php?msgpid=1120 Ś<tÚJ AĄ@ CMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.21 [bg]
82.137.126.99Ť ' 9h**p://ppp.zapoznanstva.dir.bg/objaviView.php?msgpid=1120 ˇ<uÚJ AĄ@ 2Mozilla/4.0 (compatible; MSIE 666.249.64.142 - - [30/Oct/2004:11:01:23 +0300] "GET /eshop3/sitemap/sitemap_mostviewed_0.html HTTP/1.0" 302 324 "-" "Googlebot/2.1 (+h**p://ppp.google.com/bot.html)"
62.204.150.100 - - [30/Oct/2004:11:01:24 +0300] "GET /affiliate/adv.php?key=cc782f66347392122e4ae25dca7e0dc4 HTTP/1.1" 200 1534 "h**p://kamasutrabg.hit.bg/pics.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
62.204.150.100 - - [30/Oct/2004:11:01:26 +0300] "GET /affiliate/images/logo_text2.gif HTTP/1.1" 304 - "h**p://kamasutrabg.hit.bg/pics.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
62.204.150.100 - - [30/Oct/2004:11:01:26 +0300] "GET /affiliate/images/space2.gif HTTP/1.1" 304 - "h**p://kamasutrabg.hit.bg/pics.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
62.204.150.100 - - [30/Oct/2004:11:01:26 +0300] "GET /eshop3/images_products/pic70px/varta_ledlight2_1.jpg HTTP/1.1" 304 - "h**p://kamasutrabg.hit.bg/pics.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
There are some strange records around there.
I am starting to think there may be some hardware issues.
Please, give me some ideas
|
|
|
11-02-2004, 12:17 AM
|
#5
|
Member
Registered: Aug 2004
Location: the coven
Distribution: slackies
Posts: 55
Rep:
|
ehh..im not sure whether this is a great idea but anyway, i will give it this a try. If possible, try to disable the apache server and see whether this problem still arised. Generally, it is not a good idea to focus the problem on one service(apache) only. Look into syslog logs for more information. I had this experiences last few months ago. The server shutdown itself randomly. Few times per day and the syslog's logs showed nothing wrong and everything is fine. The server is patched and clean from intrusion. Further investigation revealed that it was the power socket problem
|
|
|
11-02-2004, 01:11 AM
|
#6
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Original Poster
Rep:
|
Hi,
Unfortunately i can not stop Apache and can not replicate the problem.
I am starting to think it might be hardware now - hdd or memory, maybe motherboard
I will post results if i find out something.
If anyoune has ideas, please post. I have not reached a solution yet.
|
|
|
11-02-2004, 05:50 AM
|
#7
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Original Poster
Rep:
|
Hi,
another development observed:
I started the command:
top -b > /var/log/top.log &
to check what is the CPU state in the time of crash.
Today, another crash occured and here are the last lines form top.log
top - 12:22:28 up 1 day, 14 min, 1 user, load average: 1.28, 1.32, 0.95
Tasks: 133 total, 2 running, 131 sleeping, 0 stopped, 0 zombie
Cpu(s): 8.7% user, 3.6% system, 0.0% nice, 87.7% idle
Mem: 904480k total, 878908k used, 25572k free, 133000k buffers
Swap: 2048248k total, 9124k used, 2039124k free, 526084k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15997 nobody 12 0 7384 5172 3288 S 4.2 0.6 identd: No such file or directory
Oct 13 08:13:23 www inetd[422]: /usr/sbin/in.identd: exit status 0x1
Oct 13 08:13:23 www inetd[8128]: execv /usr/sbin/in.identd: No such file or directory
Oct 13 08:13:23 www inetd[422]: /usr/sbin/in.identd: exit status 0x1
The last 2 lines repat about 1500 times. Before this , i observe normal top entries.
I am not running identd. I stopped inetd after this crash to see what happens.
Can sendmail be using identd ?
Any ideas ?
|
|
|
11-02-2004, 09:23 PM
|
#8
|
Member
Registered: Aug 2004
Location: the coven
Distribution: slackies
Posts: 55
Rep:
|
Quote:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15997 nobody 12 0 7384 5172 3288 S 4.2 0.6 identd: No such file or directory
Oct 13 08:13:23 www inetd[422]: /usr/sbin/in.identd: exit status 0x1
Oct 13 08:13:23 www inetd[8128]: execv /usr/sbin/in.identd: No such file or directory
Oct 13 08:13:23 www inetd[422]: /usr/sbin/in.identd: exit status 0x1
|
Just curious...what happened to your server's date?
Last edited by m4dj4ck; 11-02-2004 at 09:24 PM.
|
|
|
11-03-2004, 01:44 AM
|
#9
|
LQ Newbie
Registered: Oct 2004
Location: Sofia,Bulgaria
Distribution: Slackware,FreeBSD
Posts: 11
Original Poster
Rep:
|
The server date was ok after the restart, just these messages show strange dates
|
|
|
All times are GMT -5. The time now is 01:43 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|