From owner-freebsd-security@FreeBSD.ORG  Thu Oct 23 17:41:32 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BB3A16A4B3
	for <security@freebsd.org>; Thu, 23 Oct 2003 17:41:32 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F04B43F93
	for <security@freebsd.org>; Thu, 23 Oct 2003 17:41:31 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id SAA16053;
	Thu, 23 Oct 2003 18:41:13 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031023183427.04e18d10@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Thu, 23 Oct 2003 18:41:12 -0600
To: Garance A Drosihn <drosih@rpi.edu>, security@freebsd.org
From: Brett Glass <brett@lariat.org>
In-Reply-To: <p0600201bbbbe19a62f97@[128.113.24.47]>
References: <6.0.0.22.2.20031023162326.04c1e008@localhost>
 <p0600201bbbbe19a62f97@[128.113.24.47]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: 
 Re: /var partition overflow (due to spyware?) in FreeBSD
  default  install
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2003 00:41:32 -0000

At 06:01 PM 10/23/2003, Garance A Drosihn wrote:

>My /etc/newsyslog.conf indicates that /var/log/messages
>should be rotated whenever it gets over 100K.

Absolutely correct. And the default /etc/crontab doesn't
run newsyslog often enough to catch it before it overflows the 
entire disk -- at least when there's a storm of these messages.
(By the way, I've received a note via private e-mail suggesting
that the QHosts worm could be the cuplrit, but it doesn't have
these symptoms.)

>I'm sure that /var can fill up even if /var/log/messages is
>rotated every hour, if the error messages are coming in fast
>enough.  But the file should be getting rotated once per hour
>in the default install, not once per day.

Actually, you're correct. newsyslog runs once per hour in the
default install. This shows just how fast the messages can
accumulate. And when it DID finally run, it didn't have room to
compress the old file, so the log remained uncompressed and the
disk remained full. 

>I do not think that the correct solution is to rotate the
>files at an even faster rate.

Running newsyslog doesn't ALWAYS rotate the log. In the case
of /var/messages, it checks to see whether the log needs it.

>Just how large is /var on the
>machine where you're seeing this problem?

On the machine from which I took those messages, it's 256M.

--Brett