possible attack?

To: debian-isp@lists.debian.org
Subject: possible attack?
From: "Chris Evans" <chris1@psyctc.org>
Date: Thu, 21 Mar 2002 08:51:49 -0000
Message-id: <[🔎] 3C999F25.31553.2D34DAB@localhost>

Logcheck has just reported 29 lines like these:
Mar 21 07:54:51 www syslog-ng[137]: Error accepting AF_UNIX 
connection, opened connections: 100, max: 100
Mar 21 07:54:51 www syslog-ng[137]: Error accepting AF_UNIX 
connection, opened connections: 100, max: 100

and netstat -a shows a lot of connections:

unix  1      [ ]         STREAM     CONNECTED     1123334 /dev/log
unix  1      [ ]         STREAM     CONNECTED     1116966 /dev/log
unix  1      [ ]         STREAM     CONNECTED     1116962 /dev/log
unix  1      [ ]         STREAM     CONNECTED     1116959
unix  1      [ ]         STREAM     CONNECTED     1116958
unix  1      [ ]         STREAM     CONNECTED     1116955
... and 20 to 40 or so more like that then:

unix  1      [ ]         STREAM     CONNECTED     1116901 /dev/log
unix  0      [ ]         STREAM                   924323
unix  1      [ ]         STREAM     CONNECTED     235    /dev/log

My sense is that someone is attacking the system possibly 
accidentally and it's about people trying to establish syslog-ng 
connections to my (solitary) box ... but I have to recognise that I'm 
out of my depth here.  Man syslog-ng didn't throw much light on 
things for me.

Anyone any advice?

TIA,

Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
   and Therapeutic Communities; practice, research, 
   teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org

Reply to:

Follow-Ups:
- Re: possible attack?
  - From: Joerg Wendland <wendland@scan-plus.de>

Prev by Date: RE: ADSL and debian3.0
Next by Date: "Theft" of data and providing the impossible
Previous by thread: Re: Software Raid on root/boot, Woody
Next by thread: Re: possible attack?
Index(es):
- Date
- Thread