From owner-freebsd-stable@FreeBSD.ORG Tue May 22 15:53:58 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D09F16A41F for ; Tue, 22 May 2007 15:53:58 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 0FAC113C447 for ; Tue, 22 May 2007 15:53:58 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dbb.q.ppp-pool.de [89.53.125.187]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 670FF12883F for ; Tue, 22 May 2007 17:53:51 +0200 (CEST) Received: from epeios.sz.vwsoft.com (epeios.sz.vwsoft.com [192.168.16.5]) by mail.vtec.ipme.de (Postfix) with ESMTP id CED703FA06; Tue, 22 May 2007 17:53:22 +0200 (CEST) Message-ID: <465311F2.9030607@vwsoft.com> Date: Tue, 22 May 2007 17:53:22 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070521) MIME-Version: 1.0 To: Ivan Voras References: <4652ECE2.7060400@vwsoft.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-stable@freebsd.org Subject: Re: ghosthunting: machine freeze 6.2R X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 15:53:58 -0000 On 05/22/07 17:18, Ivan Voras wrote: > Volker wrote: > >> My first thought is a hardware problem but why does it occur that less >> and only in the morning? My next thought is a DoS attack >> (CVE-2007-0244?) but can that lead into a machine freeze? > > When in the morning? If it's around 3-4 am, that's when the (often > hardware intensive) default cron jobs kick in. No, it's not cron (perdiodic daily/security) related. It appears sometime between 7 and 11 am (CEST). That would be too easy. Probably it's too early to see similarities as it's just on two days in a row. Tomorrow I'll have a hub at that location and can watch traffic using a 2nd bsd machine. Let's see, if that leads to any strange traffic.