on Thu, Dec 11, 2003 at 04:55:06PM +0100, qba (qba@gepard.f-net.pl) wrote: > Helo. > > My woody - with 2.4.22 crashed today. > > When i came to see it , keyboard was blinking with diodes. > What i had on the monitor was kdb debugging sth. that Oops'ed. > Unfortunaetly due to lack of time ( i had to reboot it immediately) and > lack of knowlegde i didnt analized what it was debugging. > > It seems that there is nothing interesting in logs except > > syslog > ------------- > Dec 11 12:21:39 gepard tpop3d[3242]: listeners_post_select: client > [6]80.51.233.34/gepard: connected > Dec 11 12:21:40 gepard tpop3d[3242]: authcontext_new_user_pass: began > session for `pawlowicz@f-net.pl' with my > sql; uid 8, gid 8 > Dec 11 12:21:40 gepard tpop3d[3242]: fork_child: > [6]pawlowicz@f-net.pl(80.51.233.34): successfully authenticat > ed with mysql > Dec 11 12:21:40 gepard tpop3d[3242]: fork_child: new child is PID 15962 > Dec 11 12:21:40 gepard tpop3d[15962]: maildir_new: scanned maildir > /var/mail/virt2/f-net.pl/pawlowicz/Maildir/ > (0 messages) in 0.000s > Dec 11 12:21:41 gepard tpop3d[15962]: connections_post_select: client > [6]pawlowicz@f-net.pl(80.51.233.34): dis > connected; 53/144 bytes read/written > Dec 11 12:21:41 gepard tpop3d[15962]: authcontext_delete: finished > session for `pawlowicz@f-net.pl' with mysql > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Dec 11 12:53:46 gepard syslogd > 1.4.1#10: restart (remote reception). > Dec 11 12:53:46 gepard kernel: klogd 1.4.1#10, log source = /proc/kmsg > started. > Dec 11 12:53:46 gepard kernel: Cannot find map file. > Dec 11 12:53:46 gepard kernel: Loaded 14 symbols from 2 modules. > Dec 11 12:53:46 gepard kernel: Linux version 2.4.22-ow1 (root@gepard) > (gcc version 2.95.4 20011002 (Debian pre > release)) #4 ?ro gru 10 17:08:10 CET 2003 > Dec 11 12:53:46 gepard kernel: BIOS-provided physical RAM map: > Dec 11 12:53:46 gepard kernel: BIOS-e820: 0000000000000000 - > 00000000000a0000 (usable) > > ####################################### > > daemonlog > ------------------- > ec 11 12:15:22 gepard dhcpd: DHCPACK on 192.168.40.116 to > 00:30:4f:29:b1:55 via eth2 > Dec 11 12:15:52 gepard sslwrap[15665]: connect from 192.168.60.103 > Dec 11 12:16:29 gepard oidentd[15693]: Connection from irc.Prison.NET > (208.178.231.190):41438 > Dec 11 12:16:46 gepard oidentd[15708]: Connection from irc.Prison.NET > (208.178.231.190):40585 > Dec 11 12:16:59 gepard oidentd[15693]: Timeout for request. Closing > connection. > Dec 11 12:17:16 gepard oidentd[15708]: Timeout for request. Closing > connection. > Dec 11 12:20:54 gepard sslwrap[15924]: connect from 192.168.60.103 > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ > ^@^@^@^@^@^@^@^@^@^@^@Dec 11 11:53:47 gepard named[413]: starting BIND > 9.2.1 -u nobody -t /var/lib/named > Dec 11 11:53:47 gepard named[413]: using 1 CPU > Dec 11 11:53:47 gepard named[417]: loading configuration from > '/etc/bind/named.conf' > Dec 11 11:53:47 gepard named[417]: no IPv6 interfaces found > Dec 11 11:53:47 gepard named[417]: listening on IPv4 interface lo, > 127.0.0.1#53 > Dec 11 11:53:47 gepard named[417]: listening on IPv4 interface eth0, > 212.244.107.162#53 > Dec 11 11:53:48 gepard named[417]: listening on IPv4 interface eth1, > 212.244.107.163#53 > > su-2.05a# sysctl -a | grep kdb > kernel/kdb = 1 > > qba@gepard:~$ uname -a > Linux gepard 2.4.22-ow1 #4 ?ro gru 10 17:08:10 CET 2003 i686 unknown > > patches -> imq , htb , xfs , esfq , owl. > > cpu pIV , 1GB ram , disks wdc80GB > 4 nic eepro100 > the machine is running > tpop3d + mysql , exim4.20 + mysql , squirelmail, proftpd + mysql > lstat , ipfm , squid , dhcp , apache , apache-ssl , sshd , > portsentry , named , courier + sql. > > > What does the quite big number od '@' ? Successful try of string oveflow > or buffer overflow that resulted in crash ? > > The problem is that i dont know what actually Oopsed. There is nothing > about it in logs. > > Thank You for all sugestions and help. Well, you're running a brk() vulnerable kernel (2.4.22). You want a backported patched 2.4.18-12, or 2.4.23, to get around the userspace kernel buffer overflow. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The black hat community is drooling over the possibility of a secure execution environment that would allow applications to run in a secure area which cannot be attached to via debuggers. - Jason Spence, on Palladium aka NGCSB aka "Trusted Computing"
Attachment:
pgp3rfbQUaijA.pgp
Description: PGP signature