possible attack?
Logcheck has just reported 29 lines like these:
Mar 21 07:54:51 www syslog-ng[137]: Error accepting AF_UNIX
connection, opened connections: 100, max: 100
Mar 21 07:54:51 www syslog-ng[137]: Error accepting AF_UNIX
connection, opened connections: 100, max: 100
and netstat -a shows a lot of connections:
unix 1 [ ] STREAM CONNECTED 1123334 /dev/log
unix 1 [ ] STREAM CONNECTED 1116966 /dev/log
unix 1 [ ] STREAM CONNECTED 1116962 /dev/log
unix 1 [ ] STREAM CONNECTED 1116959
unix 1 [ ] STREAM CONNECTED 1116958
unix 1 [ ] STREAM CONNECTED 1116955
... and 20 to 40 or so more like that then:
unix 1 [ ] STREAM CONNECTED 1116901 /dev/log
unix 0 [ ] STREAM 924323
unix 1 [ ] STREAM CONNECTED 235 /dev/log
My sense is that someone is attacking the system possibly
accidentally and it's about people trying to establish syslog-ng
connections to my (solitary) box ... but I have to recognise that I'm
out of my depth here. Man syslog-ng didn't throw much light on
things for me.
Anyone any advice?
TIA,
Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org
Reply to: