[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attack?

On Wed, Jun 11, 2003 at 10:27:52AM +0800, Rolf Schatzmann wrote:
> One of my debian servers (stable) has been locking up over the last
> few         prior to this it has been rock solid for over a year. I
> had suspected     that there might be a hardware failure somever
> however the last error in        Syslog before it locks up is shown
> below, is this a buffer overun exploit or    something?
> Jun 11 01:24:35 mail rpc.statd[269]: gethostbyname error for

That is a *very* old buffer overflow.  It affected Redhat 6.2 or
something.  Potato was originally vulnerable to it, but was patched.
Woody was never vulnerable.

> Jun 11 02:42:25 mail kernel: sent an invalid ICMP error to a
> broadcast.

It's possible that this is a side-effect of something nasty that's going
on.  Certainly is doing something it shouldn't be doing,
but that should not cause your machine to lock up.

Consider using a tool like tcpdump or snort to help you look for
malicious traffic.  I would, however, favor the idea that there's
probably something else causing your machine to crash.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpsaxM0qUjSe.pgp
Description: PGP signature

Reply to: