l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2001 Dec 30 17:00

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Router acting funny
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Router acting funny


  • Subject: Re: [vox-tech] Router acting funny
  • From: Bill Broadley <bill@MAPSmath.ucdavis.edu>
  • Date: Tue, 02 Jan 2001 18:54:55 -0800
  • References: Pine.GSO.4.21.0101021819460.20993-100000@logan.ucdavis.edu

Looks liks logrotate has freaked out, might want to make sure
your running a recent version, I've seen some bugs mentioned/patched.

Top would be more useful then ps as far as whats keeping the
machine busy now.

Looks like logrotate is freaked, 10+ hours of cpu time is WAY to much.

BTW if your machine is really hacked you can't trust ps, syslog, login,
ls, top, etc.

I'd kill logrotate to start, check it's logs, check for new version, check
your config file etc.


On Tue, Jan 02, 2001 at 06:36:27PM -0800, Mark Kim wrote:
> Happy new year, everyone.  I just got back to Davis and noticed the
> harddrive running continuously on the router.  It's so busy I can
> barely log in.
> 
> Checking the log, I see:
> 
> Jan  2 18:03:08 sorrento : Security warning : eth0 is in promiscuous mode.
> Jan  2 18:03:09 sorrento :     A sniffer is probably running on your system.
> Jan  2 18:03:12 sorrento : Security warning : eth1 is in promiscuous mode.
> Jan  2 18:03:14 sorrento :     A sniffer is probably running on your system.
> 
> I did run nmap last quarter on the system so maybe that's what caused it.
> I also see (notice the time interval):
> 
> ...
> Jan  1 07:13:05 sorrento syslogd 1.3-3: restart.
> Jan  1 07:17:08 sorrento syslogd 1.3-3: restart.
> Jan  1 07:21:04 sorrento syslogd 1.3-3: restart.
> Jan  1 07:26:54 sorrento syslogd 1.3-3: restart.
> Jan  1 07:31:52 sorrento syslogd 1.3-3: restart.
> Jan  1 07:36:36 sorrento syslogd 1.3-3: restart.
> Jan  1 07:40:44 sorrento syslogd 1.3-3: restart.
> Jan  1 07:43:59 sorrento syslogd 1.3-3: restart.
> ...
> 
> (The same happens on December 31th and 24th).  Also portsentry
> attempted to block out the following servers (which it couldn't because of
> the way I setup my tcp wrapper):
> 
> ALL: 63.197.184.28
> ALL: 211.39.97.178
> ALL: 211.44.132.16
> ALL: 216.250.78.210
> ALL: 61.139.83.154
> ALL: 211.47.221.2
> ALL: 211.44.188.66
> 
> Here's my `ps aefxwww` output (trimmed to 80 columns):
> 
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:10 init [3] HOME=/ TERM=linux BOOT_IMAGE=linux-fb
>     2 ?        SW     0:54 [kflushd]
>     3 ?        SW     0:29 [kupdate]
>     4 ?        SW     0:00 [kpiod]
>     5 ?        SW    60:53 [kswapd]
>     6 ?        SW<    0:00 [mdrecoveryd]
>   336 ?        S     21:28 syslogd -m 0 PWD=/ HOSTNAME=sorrento.localnet.enet CO
>   357 ?        S      0:10 crond PWD=/ HOSTNAME=sorrento.localnet.enet CONSOLE=/
>  4479 ?        SW     0:00  \_ [crond]
>  4481 ?        SW     0:00  |   \_ [run-parts]
>  4499 ?        SW     0:00  |   |   \_ [logrotate]
>  4500 ?        D    733:51  |   |       \_ /usr/sbin/logrotate /etc/logrotate.co
>  4501 ?        SW     0:00  |   \_ [sendmail]
> 22404 ?        SW     0:00  \_ [crond]
> 22407 ?        SW     0:00  |   \_ [security.sh]
> 22424 ?        DN    21:55  |       \_ /usr/bin/msec_find / /home /usr/local PWD
> 22447 ?        SW     0:00  \_ [crond]
> 22449 ?        SW     0:00  |   \_ [run-parts]
> 22467 ?        SW     0:00  |   |   \_ [logrotate]
> 22468 ?        D     92:44  |   |       \_ /usr/sbin/logrotate /etc/logrotate.co
> 22469 ?        SW     0:00  |   \_ [sendmail]
>  9610 ?        SW     0:00  \_ [crond]
>  9613 ?        SW     0:00  |   \_ [security.sh]
>  9630 ?        DN    21:48  |       \_ /usr/bin/msec_find / /home /usr/local PWD
>  9652 ?        S      0:00  \_ CROND PWD=/ HOSTNAME=sorrento.localnet.enet CONSO
>  9654 ?        S      0:00  |   \_ bash /usr/bin/run-parts /etc/cron.daily PWD=/
> 31797 ?        S      0:00  |   |   \_ sh /etc/cron.daily/slocate.cron PWD=/ HOS
> 31798 ?        R      2:37  |   |       \_ /usr/bin/slocate -u -f NFS,SMBFS,NCPF
>  9674 ?        SW     0:00  |   \_ [sendmail]
> 24294 ?        SW     0:00  \_ [crond]
> 24296 ?        SW     0:00      \_ [run-parts]
> 24314 ?        SW     0:00      |   \_ [logrotate]
> 24315 ?        D     31:19      |       \_ /usr/sbin/logrotate /etc/logrotate.co
> 24316 ?        SW     0:00      \_ [sendmail]
>   383 ?        SW     0:00 [lpd]
>   440 ?        SW     0:02 [gpm]
>   454 ?        S      0:09 xfs -port -1 -daemon PWD=/ HOSTNAME=sorrento.localnet
>   502 ?        S      0:03 /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.localnet
> 31381 ?        S      0:12  \_ /usr/local/sbin/sshd PWD=/ HOSTNAME=sorrento.loca
> 31824 pts/0    S      0:00      \_ -bash HOME=/home/vin USER=vin LOGNAME=vin PAT
> 31851 pts/0    S      0:00          \_ su PWD=/home/vin XAUTHORITY=/home/vin/.Xa
> 31852 pts/0    S      0:00              \_ bash PWD=/home/vin XAUTHORITY=/home/v
> 32003 pts/0    R      0:00                  \_ ps aefxwww PWD=/var/log XAUTHORIT
>   652 ?        S      0:16 /usr/local/pkg/psionic/portsentry/portsentry -atcp PW
>   655 ?        S      0:00 /usr/local/pkg/psionic/portsentry/portsentry -audp PW  
>657 tty1     S     44:13 perl -w /usr/local/sbin/voicebox tty1 HOME=/ TERM=lin
>   660 tty4     SW     0:00 [mingetty]
>  4163 ?        SW     0:00 [inetd]
> 30771 ?        S      0:00 /sbin/vgetty ttyS0 HOME=/ TERM=linux BOOT_IMAGE=linux
> 31392 tty2     S      0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linu
> 31823 tty3     S      0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linu
> 
> Can anyone see what's going on?  Thanks!
> 
> ---
> Mark K. Kim
> http://www.cbreak.org/mark/
> PGP key available upon request.


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.