Re: [cobalt-users] Address already in use (logfile messages ?)

["Fragga" <fragga@xxxxxxxxxxxx>]

hi herby,

check your /etc/inetd.conf file as this message is coming from the inet
daemon.
Check to see there are no duplications. What raq is this ? Have u updated
anything recently ( patches, new apps, etc) which could have bought this one
?

this is trying to start more services on top of the ones its already running
as the ports are already used. Could it be another copy of inetd.conf ? or
something
going down in the /etc/rc.d directory ? possibly cron aswell trying to start
something ?

I dont think its a crack,  appears to be more of a misconfiguration
somewhere.

Its just puzzling whats suddenly bought it on.

just some ideas to look into.

fragga


----- Original Message -----
From: "Herby K" <mad1.z@xxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, October 08, 2002 5:18 AM
Subject: Re: [cobalt-users] Address already in use (logfile messages ?)


> no such files
> no such processes
>
> chkrootkit also didnt show anything infekted the whole time
>
> rgds,
> Herby
>
> ----- Original Message -----
> From: "Robin Edgar - Tripany" <red@xxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Tuesday, October 08, 2002 12:38 PM
> Subject: [cobalt-users] Address already in use (logfile messages ?)
>
>
> > Look for the following files:
> > /tmp/core/*
> > /etc/cron.d/core
> > /.sushi
> > file://tmp/.tmp/*
> >
> > And the following processes:
> >
> > httpd    10125     1  0 Aug29 ?        00:00:00 [sh]
> > httpd    10658 10125  0 Aug29 ?        00:00:00 [backwget]
> > httpd    10983 10125  0 Aug29 ?        00:01:24 sh raq4lrex.sh
> >
> > If you can find any of the above you have been hacked, and your startup
> > scripts have been buggered. You can restore functionality by killing the
> > above processes and starting the new ones, but beware: as soon as you
> > reboot, you will not come up! You will have to go single user mode and
> > reinstall the entire damn thing, followed by replacing your backups and
> > running through all the upgrades by hand
> >
> > Good luck
> > Robin Edgar
> > Tripany
> > ------------------------------
> > From: "Herby K" <mad1.z@xxxxxxx>
> > To: <cobalt-users@xxxxxxxxxxxxxxx>
> > Date: Tue, 8 Oct 2002 09:10:15 +0200
> > Subject: [cobalt-users] Address already in use (logfile messages ?)
> > Reply-To: cobalt-users@xxxxxxxxxxxxxxx
> >
> > Hi there,
> >
> > as I have installed logcheck and get these reports by mail, I didnt
check
> > logfiles manually that often - but today morning, what is this crap all
in
> > my messages logfile? Is this due to a patch? My complete logfile is full
> of
> > these messages, hour by hour minute by minute.
> >
> > Oct  8 08:46:52 cr02 inetd[28654]: imap/tcp: bind: Address already in
use
> > Oct  8 08:46:52 cr02 inetd[28654]: pop-3/tcp: bind: Address already in
use
> > Oct  8 08:46:52 cr02 inetd[28654]: ftp/tcp: bind: Address already in use
> > Oct  8 08:49:36 cr02 inetd[28110]: imap/tcp: bind: Address already in
use
> > Oct  8 08:49:36 cr02 inetd[28110]: pop-3/tcp: bind: Address already in
use
> > Oct  8 08:49:36 cr02 inetd[28110]: ftp/tcp: bind: Address already in use
> > Oct  8 08:56:52 cr02 inetd[28654]: imap/tcp: bind: Address already in
use
> > Oct  8 08:56:52 cr02 inetd[28654]: pop-3/tcp: bind: Address already in
use
> > Oct  8 08:56:52 cr02 inetd[28654]: ftp/tcp: bind: Address already in use
> > Oct  8 08:59:36 cr02 inetd[28110]: imap/tcp: bind: Address already in
use
> > Oct  8 08:59:36 cr02 inetd[28110]: pop-3/tcp: bind: Address already in
use
> > Oct  8 08:59:36 cr02 inetd[28110]: ftp/tcp: bind: Address already in use
> >
> > Any advice ?
> >
> > rgds,
> > Herby
> >
> >
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>