[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] [RaQ3] SSH Not Responding - Postmortem

Subject: RE: [cobalt-users] [RaQ3] SSH Not Responding - Postmortem
From: "Peter Masloch" <peter@xxxxxxxxxxx>
Date: Fri Jul 5 05:51:22 2002
Organization: EasyniX Consulting
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Did you make a traceroute on some of the IP's trying
to access computer_warning.gif?
You need to find out in which cases computer_warning.gif
would apear for a user.
Peter 

> Howdy list, for the benefit of anyone who didn't read any of 
> my earlier posts, I have a RaQ3, well cared for with all 
> patches, minimal ports and custom software running, that went 
> down early on the morning of July 4th. 
> While the server was down I found that it was pingable 
> however with practically all services failing (httpd, ahttpd, 
> ssh).  It was rebooted several times and now I'm able to once 
> again gain shell access.
> 
> The server seems as stable as it's ever been and I've begun 
> earnestly digging through the logs looking for info.  I've 
> found some interesting entries in /var/log/messages and the 
> admserv and httpd access and error log files.  Searching 
> through the archives I've found some similar postings from 
> people who were likely having the same problem as us.  In 
> most of those cases the truly enlightened gurus on this list 
> seemed to think crack attempts or DOS attacks were the cause.
> 
> I just thought I'd show you all some of my log entries and 
> get your expert opinions.
> 
> -- from the messages log --
> 
> Jul  3 21:59:52 www kernel: VM: do_try_to_free_pages failed 
> for syslogd... Jul  3 21:59:53 www kernel: VM: 
> do_try_to_free_pages failed for poprelayd... Jul  3 21:59:53 
> www kernel: VM: do_try_to_free_pages failed for 
> interchange... Jul  3 21:59:55 www kernel: VM: 
> do_try_to_free_pages failed for httpd...
> 
> (I'm not sure if these are related to yesterday's issue, 
> however they are weird and I haven't seen em before.  
> Archives suggest a virtual mem
> problem...)
> 
> Jul  4 04:12:19 www kernel: Unable to load interpreter 
> /lib/ld-linux.so.2
> 
> (Yeh, there's a ton of these in there, memory again I know, 
> but why..?)
> 
> -- from the adm_access log --
> (This is where it gets interesting, is this an obvious attack 
> on the cobalt gui?  Maybe just someone who was trying to get 
> in from various
> computers?)
> 
> 80.8.112.51 - - [04/Jul/2002:04:12:27 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 213.17.37.15 - - [04/Jul/2002:04:43:40 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 194.65.5.231 - - [04/Jul/2002:07:36:02 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 193.216.245.84 - - [04/Jul/2002:07:37:56 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 80.9.180.115 - - [04/Jul/2002:07:39:30 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 80.203.23.120 - - [04/Jul/2002:07:42:08 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 129.96.138.71 - - [04/Jul/2002:07:50:31 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 195.194.138.161 - - [04/Jul/2002:07:51:28 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 212.195.20.252 - - [04/Jul/2002:07:53:57 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.0" 200 1119 
> 68.128.195.22 - - [04/Jul/2002:07:54:43 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 193.217.241.109 - - [04/Jul/2002:08:09:27 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 213.139.162.197 - - [04/Jul/2002:08:16:05 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 213.139.162.197 - - [04/Jul/2002:08:16:31 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 213.84.26.175 - - [04/Jul/2002:08:21:54 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 132.180.77.189 - - [04/Jul/2002:08:25:39 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 151.37.82.251 - - [04/Jul/2002:08:29:03 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 194.210.4.136 - - [04/Jul/2002:08:31:28 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 66.161.192.157 - - [04/Jul/2002:08:34:58 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 194.122.118.7 - - [04/Jul/2002:08:35:30 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 147.162.157.132 - - [04/Jul/2002:08:44:53 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 195.93.49.171 - - [04/Jul/2002:08:46:33 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 194.158.127.36 - - [04/Jul/2002:08:55:38 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.0" 200 1119 
> 213.172.193.30 - - [04/Jul/2002:08:59:24 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 216.209.121.163 - - [04/Jul/2002:09:05:38 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 172.157.54.205 - - [04/Jul/2002:09:10:10 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 217.128.114.130 - - [04/Jul/2002:09:10:26 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 80.60.91.45 - - [04/Jul/2002:09:24:04 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 62.45.106.224 - - [04/Jul/2002:09:37:39 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 4.47.217.6 - - [04/Jul/2002:09:39:19 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119 
> 192.167.218.113 - - [04/Jul/2002:10:31:25 -0400] "GET 
> /.cobalt/images/computer_warning.gif HTTP/1.1" 200 1119
> 
> 
> -- from the adm_error log --
> 
> [Thu Jul  4 07:55:03 2002] [error] System: Cannot allocate 
> memory (errno:
> 12)
> [Thu Jul  4 07:55:03 2002] [error] OpenSSL: 
> error:07064021:memory buffer routines:BUF_MEM_grow:Malloc 
> failure [Thu Jul  4 07:55:03 2002] [error] mod_ssl: SSL 
> handshake interrupted by system (System error follows)
> 
> (Ton of these, only during the hours all the other oddities 
> started showing up.  Of course, I imagine a bunch of em are 
> us trying to access the admin.)
> 
> -- from httpd error log --
> 
> Ouch!  malloc failed in malloc_block()
> 
> (Too many of these to count...  I guess I don't really need 
> it spelled out for me, this was an attack of some sort wasn't it?)
> 
> If I find more info I'll pass it along, I appreciate your 
> thought's and comments...
> 
> thanks,
> Brad
> 
> __________________________________________________
> Do You Yahoo!?
> Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to: 
> http://list.cobalt.com/mailman/listinfo/cobalt> -users
> 
>

Follow-Ups:
- RE: [cobalt-users] [RaQ3] SSH Not Responding - Postmortem
  - From: Bradley Caricofe

References:
- [cobalt-users] [RaQ3] SSH Not Responding - Postmortem
  - From: Bradley Caricofe

Prev by Date: Re: [cobalt-users] [RaQ3] SSH Not Responding
Next by Date: Re: [cobalt-users] installing ssh on Raq4
Previous by thread: [cobalt-users] [RaQ3] SSH Not Responding - Postmortem
Next by thread: RE: [cobalt-users] [RaQ3] SSH Not Responding - Postmortem

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index