Date: 16 Oct 2003 04:56:51 -0400 From: Mailing Lists Catcher <freebsd@kibserv.org> To: Barry Hawkins <barryhawkins@mac.com> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: /tmp suddenly full - possible DOS hack? Message-ID: <1066294611.9807.39.camel@butters> In-Reply-To: <7AA36E92-FDF2-11D7-A861-000A95A0485E@mac.com> References: <7AA36E92-FDF2-11D7-A861-000A95A0485E@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It looks like your messages.0 didn't properly compress when newsyslog rolled the file. Probably due to the fact that your /tmp isn't big enough to bzip a 196MB file. In any case your /var is now full which will make anything that uses /var for storage not happy...my dhcp server suffered this problem once. As for the dos attack I would say it is likely but reading the messages.0 file will be the way to tell. Something obviously wrote way too many messages to the log file and newsyslog didnt roll it fast enough...you should find out what most of the messages contains. Then delete that monster logfile to get your system /var under control. It was because of problems like this that I now install all my systems with a single / mount. I am not certain why the multiple mounts is default on FBSD, but from what little I have read on this subject it seems to have something to do with reliability of older drives (of FS) and the protection of the kernel from corruption. Jason On Mon, 2003-10-13 at 22:59, Barry Hawkins wrote: > List, > I have a single FreeBSD server (5.1) that I run at home behind a > firewall with ports open for ssh, dns, and http. I began having > trouble with my DNS not responding, then noticed that ssh was not > responding either. Upon logging in at the server, I noticed error > messages about my /tmp filesystem being full. Issuing df revealed the > following: > > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/ad0s1a 253678 72770 160614 31% / > devfs 1 1 0 100% /dev > /dev/ad0s1e 253678 542 232842 0% /tmp > /dev/ad0s1f 8209710 3440818 4112116 46% /usr > /dev/ad0s1d 253678 253106 -19722 108% /var > > Upon further investigation, I noticed a series of grossly bloated > messages logs: > > -rw-r--r-- 1 root wheel 43001 Oct 13 22:37 messages > -rw-r--r-- 1 root wheel 196001815 Oct 13 17:00 messages.0 > -rw-r--r-- 1 root wheel 87398 Oct 13 16:00 messages.1.bz2 > -rw-r--r-- 1 root wheel 87096 Oct 13 15:00 messages.2.bz2 > -rw-r--r-- 1 root wheel 109446 Oct 13 14:00 messages.3.bz2 > -rw-r--r-- 1 root wheel 184596 Oct 13 13:00 messages.4.bz2 > -rw-r--r-- 1 root wheel 36822 Oct 13 12:00 messages.5.bz2 > > This is the first BSD box that I have had that allows DNS queries, and > this is the first time I have experienced something like this. Is it > some sort of DOS attack? I am sure there are a hundred variables that > I am unaware of, but if some of the list sages could be so kind as to > prod me in the right direction(s) I would be most appreciative. > > Thanks,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1066294611.9807.39.camel>