Date: 16 Mar 2002 12:24:26 -0600 From: Rob Hughes <rob@robhughes.com> To: freebsd-questions@freebsd.org Cc: Ralph Dratman <ralph@maxsoft.com> Subject: Re: Worrisome log messages about sshd and httpd Message-ID: <1016303066.1860.33.camel@kahuna-ws.robhughes.com> In-Reply-To: <v04210109b8b9158a6b60@[192.168.1.27]> References: <v04210109b8b9158a6b60@[192.168.1.27]>
next in thread | previous in thread | raw e-mail | index | archive | help
Standard practice (most places) in the case of a suspected system compromise is to wipe the system and do a clean install, or to do a restore from a known and trusted backup (you do backup of at least your configs, I hope?). Anything funny in the output of ps -ax or netstat -an? Any users been mysteriously added? Any binaries that have been mysteriously transformed to perl or shell scripts? Anything weird in /tmp? Any big gaps in /var/log/messages or /var/log/security? Any config files changed or added? However, its also very possible that the problem is just that the root slice is full. I've had processes start dumping on my anytime a slice they want to write to gets full. Its hard to say without knowing the exact layout of your slices. You might also want to manually run the period jobs as they'll tell you a lot about what's been going on with the system, if you want to still trust them. You don't mention the patch level of the suspect processes, but there are a few exploits for ssh and apache that old, if you've never patched or upgraded. If it was me, I'd take the system off the network, make a binary copy of the drives, backup needed config files, and wipe it (for forensics and in case its decided to pursue prosecution should that turn up anything). But I make a living being paranoid, among other things. Whether you decide to rebuild it or not, you might strongly consider running snort on that system. Very nice IDS and very flexible. On Sat, 2002-03-16 at 09:39, Ralph Dratman wrote: > Any and all, > > My system (4.2-RELEASE) normally runs very well and is extremely stable. > > Yesterday the following appeared in my security email: > > ===================== > www.dratman.com kernel log messages: > > 0xc2adac88 > > pid 16214 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16215 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16216 (sshd), uid 0: exited on signal 11 (core dumped) > >... (more of the same) > > pid 16229 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16230 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16237 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16891 (locate.code), uid 65534 on /: file system full > ===================== > > and dmesg gave me more nice material, again repeated many times: > > ===================== > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > vnode_pager: *** WARNING *** stale FS getpages > No strategy for buffer at 0xc2adac88 > : 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0 > : 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0 > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > vnode_pager: *** WARNING *** stale FS getpages > No strategy for buffer at 0xc2adac88 > : 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0 > : 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0 > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > pid 94028 (httpd), uid 65534: exited on signal 11 > pid 94003 (httpd), uid 65534: exited on signal 11 > pid 93975 (httpd), uid 65534: exited on signal 11 > pid 93974 (httpd), uid 65534: exited on signal 11 > pid 93973 (httpd), uid 65534: exited on signal 11 > pid 54584 (httpd), uid 0: exited on signal 11 (core dumped) > pid 181 (httpd), uid 0: exited on signal 10 (core dumped) > pid 16214 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16215 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16216 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16236 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16237 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16891 (locate.code), uid 65534 on /: file system full > ===================== > > Am I seeing some kind of buffer-overflow attack? Can anyone suggest > what might be happening here? > > The system is still alive as of this morning and otherwise seems to > be functioning normally. > > Thanks in advance for any thoughts or insights. > > Regards, > > Ralph Dratman > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1016303066.1860.33.camel>