From owner-freebsd-security Tue Jun 15 11: 7:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 1BCDC15601 for ; Tue, 15 Jun 1999 11:07:51 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA38973; Tue, 15 Jun 1999 12:07:32 -0600 (MDT) Date: Tue, 15 Jun 1999 12:07:32 -0600 (MDT) From: Nick Rogness To: Warner Losh Cc: LutzRab@omc.net, security@FreeBSD.ORG Subject: Re: New Attack via sendmail? In-Reply-To: <199906150630.AAA90548@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Jun 1999, Warner Losh wrote: > In message <199906141930.VAA14403@office.omc.net> "Lutz Rabing" writes: > : I've seen some pretty strange lines in syslog of one of our webservers. > : > : The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > : swap space before, in fact it's not using swap space at all under normal > : conditions. > > Have you used gdb to get a traceback sendmail.core? Have you > considered building sendmail from sources and installing that binary > if you have the stripped binary installed? > > I've not heard of attack like this recently. > > Also, I'd take a look at cucipop. It may be the case that it, or > something else, is eating all the memory, causing problems for > sendmail, et al. 'ps auxww' should help next time this happens. Or even 'top' shows a bit more detail than ps -auxww does. But either one should help ya see what is going on. Problem is you have to be on the server when this happens. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message