From owner-freebsd-questions Sat Mar 16 10:24:19 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.robhughes.com (12-237-138-77.client.attbi.com [12.237.138.77]) by hub.freebsd.org (Postfix) with SMTP id DC6E437B400 for ; Sat, 16 Mar 2002 10:24:09 -0800 (PST) Received: (qmail 9984 invoked from network); 18 Mar 2002 18:47:51 -0000 Received: from hexch01.robhughes.com (192.168.1.3) by ns2.robhughes.com with SMTP; 18 Mar 2002 18:47:51 -0000 Received: from kahuna-ws.robhughes.com ([192.168.1.13]) by HEXCH01.robhughes.com with Microsoft SMTPSVC(5.0.2195.2966); Sat, 16 Mar 2002 12:23:08 -0600 Subject: Re: Worrisome log messages about sshd and httpd From: Rob Hughes To: freebsd-questions@freebsd.org Cc: Ralph Dratman In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.2.99 Preview Release Date: 16 Mar 2002 12:24:26 -0600 Message-Id: <1016303066.1860.33.camel@kahuna-ws.robhughes.com> Mime-Version: 1.0 X-OriginalArrivalTime: 16 Mar 2002 18:23:08.0339 (UTC) FILETIME=[9F490830:01C1CD17] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Standard practice (most places) in the case of a suspected system compromise is to wipe the system and do a clean install, or to do a restore from a known and trusted backup (you do backup of at least your configs, I hope?). Anything funny in the output of ps -ax or netstat -an? Any users been mysteriously added? Any binaries that have been mysteriously transformed to perl or shell scripts? Anything weird in /tmp? Any big gaps in /var/log/messages or /var/log/security? Any config files changed or added? However, its also very possible that the problem is just that the root slice is full. I've had processes start dumping on my anytime a slice they want to write to gets full. Its hard to say without knowing the exact layout of your slices. You might also want to manually run the period jobs as they'll tell you a lot about what's been going on with the system, if you want to still trust them. You don't mention the patch level of the suspect processes, but there are a few exploits for ssh and apache that old, if you've never patched or upgraded. If it was me, I'd take the system off the network, make a binary copy of the drives, backup needed config files, and wipe it (for forensics and in case its decided to pursue prosecution should that turn up anything). But I make a living being paranoid, among other things. Whether you decide to rebuild it or not, you might strongly consider running snort on that system. Very nice IDS and very flexible. On Sat, 2002-03-16 at 09:39, Ralph Dratman wrote: > Any and all, > > My system (4.2-RELEASE) normally runs very well and is extremely stable. > > Yesterday the following appeared in my security email: > > ===================== > www.dratman.com kernel log messages: > > 0xc2adac88 > > pid 16214 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16215 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16216 (sshd), uid 0: exited on signal 11 (core dumped) > >... (more of the same) > > pid 16229 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16230 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16237 (sshd), uid 0: exited on signal 11 (core dumped) > > pid 16891 (locate.code), uid 65534 on /: file system full > ===================== > > and dmesg gave me more nice material, again repeated many times: > > ===================== > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > vnode_pager: *** WARNING *** stale FS getpages > No strategy for buffer at 0xc2adac88 > : 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0 > : 0xc7b89ec0: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 6, pid 5827, mode 180, flags 0 > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > vnode_pager: *** WARNING *** stale FS getpages > No strategy for buffer at 0xc2adac88 > : 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0 > : 0xc7bf6080: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 5, pid 5827, mode 180, flags 0 > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 5827 (ftpd) > pid 94028 (httpd), uid 65534: exited on signal 11 > pid 94003 (httpd), uid 65534: exited on signal 11 > pid 93975 (httpd), uid 65534: exited on signal 11 > pid 93974 (httpd), uid 65534: exited on signal 11 > pid 93973 (httpd), uid 65534: exited on signal 11 > pid 54584 (httpd), uid 0: exited on signal 11 (core dumped) > pid 181 (httpd), uid 0: exited on signal 10 (core dumped) > pid 16214 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16215 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16216 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16236 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16237 (sshd), uid 0: exited on signal 11 (core dumped) > pid 16891 (locate.code), uid 65534 on /: file system full > ===================== > > Am I seeing some kind of buffer-overflow attack? Can anyone suggest > what might be happening here? > > The system is still alive as of this morning and otherwise seems to > be functioning normally. > > Thanks in advance for any thoughts or insights. > > Regards, > > Ralph Dratman > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message