From owner-freebsd-security Sat Jan 26 9:32:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 251D537B41E for ; Sat, 26 Jan 2002 09:32:26 -0800 (PST) Received: from there (kajsa.energyhq.org [192.168.0.1]) by energyhq.homeip.net (Postfix) with SMTP id EF0013FC07; Sat, 26 Jan 2002 18:32:26 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Miguel Mendez Organization: Energy HQ To: "William J. Borskey" , freebsd-security@freebsd.org Subject: Re: weird server activity Date: Sat, 26 Jan 2002 18:32:00 +0100 X-Mailer: KMail [version 1.3.2] References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020126173226.EF0013FC07@energyhq.homeip.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday 26 January 2002 18:13, William J. Borskey wrote: Hi there, > sounding paths, but it wasnt code red or anything like code red: No, it's not Code Red, it's Nimda IIRC. I used to get it on my server all the time until I got tired of it and banned 213/8 with ipfw. Unless you are getting lots of requests and have a high number in MaxSpareServers I don't see how this alone could have caused the machine to be unable to spawn more preocesses. If possible run some network monitoring software like e.g. snort and watch for DoS attempts, but I would discard the worm being the cause. Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net EnergyHQ :: http://energyhq.homeip.net FreeBSD - The power to serve! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message