Skip site navigation (1)Skip section navigation (2)
Date:      16 Oct 2003 04:56:51 -0400
From:      Mailing Lists Catcher <freebsd@kibserv.org>
To:        Barry Hawkins <barryhawkins@mac.com>
Cc:        FreeBSD Questions <questions@freebsd.org>
Subject:   Re: /tmp suddenly full - possible DOS hack?
Message-ID:  <1066294611.9807.39.camel@butters>
In-Reply-To: <7AA36E92-FDF2-11D7-A861-000A95A0485E@mac.com>
References:  <7AA36E92-FDF2-11D7-A861-000A95A0485E@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help
It looks like your messages.0 didn't properly compress when newsyslog
rolled the file.  Probably due to the fact that your /tmp isn't big
enough to bzip a 196MB file.  In any case your /var is now full which
will make anything that uses /var for storage not happy...my dhcp server
suffered this problem once.

As for the dos attack I would say it is likely but reading the
messages.0 file will be the way to tell.  Something obviously wrote way
too many messages to the log file and newsyslog didnt roll it fast
enough...you should find out what most of the messages contains.  Then
delete that monster logfile to get your system /var under control.

It was because of problems like this that I now install all my systems
with a single / mount.  I am not certain why the multiple mounts is
default on FBSD, but from what little I have read on this subject it
seems to have something to do with reliability of older drives (of FS)
and the protection of the kernel from corruption.

Jason

On Mon, 2003-10-13 at 22:59, Barry Hawkins wrote:
> List,
> 	I have a single FreeBSD server (5.1) that I run at home behind a 
> firewall with ports open for ssh, dns, and http.  I began having 
> trouble with my DNS not responding, then noticed that ssh was not 
> responding either.  Upon logging in at the server, I noticed error 
> messages about my /tmp filesystem being full.  Issuing df revealed the 
> following:
> 
> Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
> /dev/ad0s1a    253678   72770  160614    31%    /
> devfs               1       1       0   100%    /dev
> /dev/ad0s1e    253678     542  232842     0%    /tmp
> /dev/ad0s1f   8209710 3440818 4112116    46%    /usr
> /dev/ad0s1d    253678  253106  -19722   108%    /var
> 
> 	Upon further investigation, I noticed a series of grossly bloated 
> messages logs:
> 
> -rw-r--r--   1 root  wheel        43001 Oct 13 22:37 messages
> -rw-r--r--   1 root  wheel    196001815 Oct 13 17:00 messages.0
> -rw-r--r--   1 root  wheel        87398 Oct 13 16:00 messages.1.bz2
> -rw-r--r--   1 root  wheel        87096 Oct 13 15:00 messages.2.bz2
> -rw-r--r--   1 root  wheel       109446 Oct 13 14:00 messages.3.bz2
> -rw-r--r--   1 root  wheel       184596 Oct 13 13:00 messages.4.bz2
> -rw-r--r--   1 root  wheel        36822 Oct 13 12:00 messages.5.bz2
> 
> 	This is the first BSD box that I have had that allows DNS queries, and 
> this is the first time I have experienced something like this.  Is it 
> some sort of DOS attack?  I am sure there are a hundred variables that 
> I am unaware of, but if some of the list sages could be so kind as to 
> prod me in the right direction(s) I would be most appreciative.
> 
> Thanks,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1066294611.9807.39.camel>