From owner-freebsd-security Mon Jun 14 12:52:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from office.omc.net (office.omc.net [195.185.142.22]) by hub.freebsd.org (Postfix) with ESMTP id 8D7C414C38 for ; Mon, 14 Jun 1999 12:52:34 -0700 (PDT) (envelope-from LutzRab@omc.net) Received: from lutz (lutz.omc.net [195.185.142.3]) by office.omc.net (8.9.3/8.9.3) with SMTP id VAA14960; Mon, 14 Jun 1999 21:52:22 +0200 (CEST) Message-Id: <199906141952.VAA14960@office.omc.net> From: "Lutz Rabing" Organization: OMCnet IS GmbH To: Nick Rogness Date: Mon, 14 Jun 1999 21:52:21 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: New Attack via sendmail? Reply-To: LutzRab@omc.net Cc: security@FreeBSD.ORG References: <199906141930.VAA14403@office.omc.net> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.11) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > I've seen some pretty strange lines in syslog of one of our webservers. > > > > The box is running 2.2.8 with sendmail 8.9.3 and has never been out of > > swap space before, in fact it's not using swap space at all under normal > > conditions. > > > What do your other logs say? (/var/log/maillog) > > What about your access_log from apache, where you getting > hit hard on the web side? The reason I ask is I see a perl > exit in the log below. There is nothing in "maillog" at that time and also nothing unusual in the apache log (just around 10 hits per second for a PIII-450 should be Ok) Thanks, Lutz > > > > > Lutz Rabing > > -OMCnet- > > > > ------------------------------------------------------------------------ > > Jun 14 14:11:48 meg /kernel: swap_pager: out of swap space > > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: /etc/spwd.db > > Jun 14 14:11:48 meg Jun 14 14:11:48sendmail[: OAA14935 > > Jun 14 14:12:00 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:00 meg /kernel: pid 14964 (perl5.00404), uid 0: exited on signal 11 > > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > > Jun 14 14:12:01 meg /kernel: pid 14963 (sh), uid 0: exited on signal 11 > > Jun 14 14:12:01 meg Jun 14 14:12:01sendmail[: /etc/spwd.db > > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: /etc/spwd.db > > Jun 14 14:12:05 meg Jun 14 14:12:05sendmail[: NOQUEUE > > Jun 14 14:12:07 meg Jun 14 14:12:07sendmail[: NOQUEUE > > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: out of memory > > Jun 14 14:12:10 meg Jun 14 14:12:10cucipop[: lost > > Jun 14 14:12:11 meg Jun 14 14:12:11sendmail[: NOQUEUE > > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: /etc/spwd.db > > Jun 14 14:12:12 meg Jun 14 14:12:12sendmail[: NOQUEUE > > Jun 14 14:12:14 meg Jun 14 14:12:14sendmail[: NOQUEUE > > Jun 14 14:12:17 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:19 meg last message repeated 2 times > > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: /etc/spwd.db > > Jun 14 14:12:19 meg Jun 14 14:12:19sendmail[: NOQUEUE > > Jun 14 14:12:19 meg last message repeated 8 times > > Jun 14 14:12:20 meg /kernel: swap_pager: out of swap space > > Jun 14 14:12:23 meg /kernel: pid 14974 (mail.local), uid 0: exited on signal 11 > > Jun 14 14:12:23 meg sendmail[14973]: OAA14972: SYSERR(UID0): mailer local died with signal 13 > > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: out of memory > > Jun 14 14:12:26 meg Jun 14 14:12:26cucipop[: lost > > Jun 14 14:12:35 meg Jun 14 14:12:35sendmail[: NOQUEUE > > Jun 14 14:12:45 meg Jun 14 14:12:45sendmail[: NOQUEUE > > Jun 14 14:12:58 meg /kernel: swap_pager: out of swap space > > Jun 14 14:13:00 meg /kernel: pid 16699 (sh), uid 0: exited on signal 11 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ******************************************************************* > Nick Rogness "Never settle with words what > System Administrator can be accomplished with a > RapidNet, INC flame-thrower" > nick@rapidnet.com > ******************************************************************* > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > Mit freundlichen Gruessen, Lutz Rabing -OMCnet- -- "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message