Date: Sun, 4 Mar 2001 04:51:53 -0800 (PST) From: "Michael A. Dickerson" <mikey@singingtree.com> To: freebsd-security@freebsd.org Subject: "Input/output error" on a variety of devices Message-ID: <Pine.BSF.4.21.0103040400280.55542-100000@redlance.singingtree.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello -security, something peculiar happened to a machine I'm responsible for today. The information in the "daily run output" and "security check output" email is all I have to go on: > Subject: myhost security check output > > checking setuid files and devices: > find: /dev/rda0: Input/output error > find: /dev/da0: Input/output error > find: /dev/rda0s1: Input/output error > find: /dev/rda0s1c: Input/output error > find: /dev/da0s1: Input/output error > find: /dev/rda0s1a: Input/output error > find: /dev/da0s1a: Input/output error > find: /dev/bpf0: Input/output error > find: /dev/card0: Input/output error > find: /dev/card1: Input/output error > find: /dev/card2: Input/output error > find: /dev/card3: Input/output error > find: /dev/kbd0: Input/output error > find: /dev/kmem: Input/output error > find: /dev/mem: Input/output error > find: /dev/tty: Input/output error > find: /dev/ugen0: Input/output error > find: /dev/uhid0: Input/output error > find: /dev/ulpt0: Input/output error > > checking for uids of 0: > tee: /dev/stderr: Input/output error > > checking for passwordless accounts: > tee: /dev/stderr: Input/output error > > sentry.cduniverse.com login failures: > tee: /dev/stderr: Input/output error > > sentry.cduniverse.com refused connections: > tee: /dev/stderr: Input/output error Clearly the 'find' didn't break on all devices, but if there's a pattern in the ones that failed, it eludes me. I suppose find was just trying to stat the nodes to get their permissions(?). At this point I was suspecting a full disk might be upsetting the kernel, since this machine logs for others (and a DoS attack would not be terribly surprising in this environment). However, the daily script thinks the disks are OK: > Subject: myhost daily run output > > Removing stale files from /var/preserve: > > Cleaning out old system announcements: > > Removing stale files from /var/rwho: > > Backup passwd and group files: > > Verifying group file syntax: > > Backing up mail aliases: > > Disk status: > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/da0s1a 49583 33204 12413 73% / > /dev/da0s1f 7956270 713531 6606238 10% /usr > /dev/da0s1e 99183 7607 83642 8% /var > procfs 4 4 0 100% /proc > > Last dump(s) done (Dump '>' file systems): > > UUCP status: > > Network interface status: > netstat: kvm not available > ifnet: symbol not defined > > Local system status: > 1:59AM up 10 days, 19:03, 0 users, load averages: 0.07, 0.02, 0.00 ... and the rest (mailq and some local scripts) is normal. It seems the 'kvm not available' is not surprising if /dev/mem is broken somehow, and I'm guessing that ifnet's complaint was just spurious and caused by the first. With ssh failing to connect, there's not much more information I can get from this machine. It still responds to pings, but I've learned that the most brain damaged of kernels can still usually manage that: elsewhere# ssh -l mikey xx.yy.zz.ww Connection closed by xx.yy.zz.ww elsewhere# nmap -sS xx.yy.zz.ww Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (xx.yy.zz.ww): (The 1522 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds elsewhere# Anyway, my question is this: Has anybody ever seen anything resembling this behavior? Specifically, does it seem likely that this host was rooted? I'm thinking not, but I ask because this machines lives in a hostile environment and I have to be suspicious of anything weird that happens on that network. In fact, this was the hopefully "secure" machine which exists only to monitor and log for others (which may have been recently rooted through bind; we're still investigating). It seems that even if it was compromised, the attacker has probably locked himself out as well as me. Hopefully it was a hardware failure or pilot error and I'll be off to -stable. Looks like I'll be adding another log host for the log host.. Thanks very much, M. Dickerson -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOqI6bxvDsQU/S3JEEQJmogCgpnY61LjUTLDEvNeeqS3390DlXMYAoKfQ ZjW6fiOnHDbb9m2dUct0GfdD =tnp9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0103040400280.55542-100000>