Scary syslog entries, random breakage
(apologies for the long rambling letter..I partly just want to complain
to someone. Yes, I sometimes jump to conclusions and panic with less
reason than I would have in a perfect world)
So I compiled aptitude and libgmp3 on the Hurd, and took a look at rep (it
looks like it has an undeclared build-dependency on libtool; at any rate,
until I installed libtool the build process died complaining about
inter-library dependencies in .la files)
Unfortunately, the system bought the farm while I was compiling rep for the
nth time. So I booted into Linux, let fsck run, checked my mail, and
restarted the Hurd. The first thing I noticed was that it failed to boot;
it looked almost as though it was trying to fsck and failing. The next thing
I noticed was that after I booted all the way, I was unable to use the
network (I got various messages, ranging from "something wicked happened" (apt)
to "translator died" (ping, I believe)) This seemed a little odd, since the
networking was working when I shut the system down, so I looked in the
syslog for clues about why pfinet was unhappy, and..
Mar 9 19:47:57 torrent in.ftpd[3255]: connect from 62.155.182.148 with IP options (ignored): 01 00 00 00 34 14 02 01 70 82 04 08 01 00 00 00 00 00 00 00 1c 09 02 00 33 0c 18 06 cb 69 01 00 88 14 02 01 c8 07 02 00 37 84 04 08 11 84 04 08 4814 02 01 fa b8 02 01 44 19 02 01 24 79 02 01 28 0c 02 00 8c 14 02 01 f3 dd 00 0 1c 09 02 00 07 00 00 00 00 00 00 00 00 00 00 00 94 14 02 01 c4 19 02 01 65 c5 02 01 1e dd 00 00 c0 18 02 01 c0 14 02 01 60 1c 02 01 60 1c 02 01 07 00 00 00 01 00 00 00 04 9b 04 08 09 00 00 00 37 84 04 08 24 79 02 01 fc 1b 02 01 80 df 00 00 c0 18 02 01 a4 10 02 01 e0 b1 02 01 c8 07
Mar 9 19:47:57 torrent in.ftpd[3255]: connect from 62.155.182.148
Mar 9 19:47:57 torrent ftpd[3255]: fcntl F_SETOWN: Operation not supported
I'm not an expert in security, but that looks like someone was trying to
do something bad.
The address in question is some random overseas dialup. I don't know
what ftpd was even doing on my system; no package providing it was installed.
My best theory is that dpkg had some sort of trouble (I kind of remember that,
at least) and forgot that whatever package it came from was installed.
I also don't think that whoever it was actually managed to break in, but
I've yanked the signed binaries I had uploaded to Incoming for now.
Assuming my security is still intact (which is actually likely, how many
script kiddies are going to be targeting Hurd systems?), I'm not sure how
to fix the situation--it looks like either bad fs corruption (which is
avoiding fsck) or, more likely, some sort of problem with libraries. Maybe
I can diagnose it tomorrow, if I get some time.. :( (pfinet seems to be
dying with a bus-error when I run it manually, which I think may be related
to all this)
The upshot of this is that I'm probably going to wipe and totally reinstall
my Hurd system. This will delay the upload of libgmp3, aptitude, and the
other stuff I was going to build :( Someone else may want to
build these; libgmp3 and aptitude, at least, build straightforwardly and
without fuss.
Of course, all of this may be hysteria due to exhaustion; I intend to get
a lot of sleep tonight and decide what to do about this tomorrow morning.
Daniel
--
/-------------------- Daniel Burrows <dburrows@brown.edu> --------------------\
| Put no trust in cryptic comments. |
\------------- Got APT? -- Debian GNU/Linux http://www.debian.org ------------/
Reply to: