Hi ! i let my system on overnight to download a huge package. This morning something strange happened and ended in a reboot. Has this been an attack? No suspicios root logins detected (all from me) ... Greetings Uli /var/log/messages Nov 4 07:18:46 panama isdnlog: Nov 04 07:18:46 tei 71 calling +49 xxxxxx, Berlin with +49 xxxxx, Nürnberg 423.CI 25.380 DM (after 7:02:00) ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@Nov 4 07:35:50 panama syslogd 1.3-3: restart. Nov 4 07:35:53 panama named[490]: starting. named 8.2.3-T5B Sat Jul 29 13:24:30 GMT 2000 ^Iroot@Egal:/usr/src/packages/BUILD/bind8-8.2.3/bin/named Nov 4 07:35:53 panama named[490]: hint zone "" (IN) loaded (serial 0) Nov 4 07:35:53 panama named[490]: master zone "localhost" (IN) loaded (serial 42) /var/log/firewall Nov 4 05:34:18 panama kernel: Packet log: input DENY ippp0 PROTO=6 4.61.240.9:3564 213.61.198.161:25 L=48 S=0x00 I=38526 F=0x4000 T=110 SYN (#27) Nov 4 05:34:21 panama kernel: Packet log: input DENY ippp0 PROTO=6 4.61.240.9:3564 213.61.198.161:25 L=48 S=0x00 I=38598 F=0x4000 T=110 SYN (#27) Nov 4 07:35:53 panama kernel: klogd 1.3-3, log source = /proc/kmsg started. Nov 4 07:35:53 panama kernel: Inspecting /boot/System.map-2.2.16 Nov 4 07:35:53 panama kernel: Loaded 9060 symbols from /boot/System.map-2.2.16. Nov 4 07:35:53 panama kernel: Symbols match kernel version 2.2.16. Nov 4 07:35:53 panama kernel: Loaded 111 symbols from 17 modules. Nov 4 07:35:53 panama kernel: CSLIP: code copyright 1989 Regents of the University of California
my linux box reboots once a week but this seems to be a dsl problem. my isp disconect me from inernet every 24h, the 7th kick is the death kick. maybe you have the same regards ----- Original Message ----- From: "ulschn@home" <ulschn@gmx.net> To: <suse-security@suse.com> Sent: Sunday, November 04, 2001 4:12 PM Subject: [suse-security] been attacked ?
Hi !
i let my system on overnight to download a huge package. This morning something strange happened and ended in a reboot. Has this been an attack? No suspicios root logins detected (all from me) ...
Greetings Uli
/var/log/messages Nov 4 07:18:46 panama isdnlog: Nov 04 07:18:46 tei 71 calling +49 xxxxxx, Berlin with +49 xxxxx, Nürnberg 423.CI 25.380 DM (after 7:02:00)
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@Nov 4 07:35:50 panama syslogd 1.3-3: restart. Nov 4 07:35:53 panama named[490]: starting. named 8.2.3-T5B Sat Jul 29 13:24:30 GMT 2000 ^Iroot@Egal:/usr/src/packages/BUILD/bind8-8.2.3/bin/named Nov 4 07:35:53 panama named[490]: hint zone "" (IN) loaded (serial 0) Nov 4 07:35:53 panama named[490]: master zone "localhost" (IN) loaded (serial 42)
/var/log/firewall Nov 4 05:34:18 panama kernel: Packet log: input DENY ippp0 PROTO=6 4.61.240.9:3564 213.61.198.161:25 L=48 S=0x00 I=38526 F=0x4000 T=110 SYN (#27) Nov 4 05:34:21 panama kernel: Packet log: input DENY ippp0 PROTO=6 4.61.240.9:3564 213.61.198.161:25 L=48 S=0x00 I=38598 F=0x4000 T=110 SYN (#27) Nov 4 07:35:53 panama kernel: klogd 1.3-3, log source = /proc/kmsg started. Nov 4 07:35:53 panama kernel: Inspecting /boot/System.map-2.2.16 Nov 4 07:35:53 panama kernel: Loaded 9060 symbols from /boot/System.map-2.2.16. Nov 4 07:35:53 panama kernel: Symbols match kernel version 2.2.16. Nov 4 07:35:53 panama kernel: Loaded 111 symbols from 17 modules. Nov 4 07:35:53 panama kernel: CSLIP: code copyright 1989 Regents of the University of California
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Uli,
i let my system on overnight to download a huge package. This morning something strange happened and ended in a reboot. Has this been an attack? No suspicios root logins detected (all from me) ...
There's not enough evidence to indicate an attack.
/var/log/messages Nov 4 07:18:46 panama isdnlog: Nov 04 07:18:46 tei 71 calling +49 xxxxxx, Berlin with +49 xxxxx, Nürnberg 423.CI 25.380 DM (after 7:02:00)
This is your last sucessful log entry Many of these deleted....
@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Check with a binary editor or "od -x" but this looks like null bytes displayed as ctrl-@
Nov 4 07:35:50 panama syslogd 1.3-3: restart.
And that's the restart. I wouldn't trust the timestamps unless you are sure your hardware clock is kept in sync with the OS. 07:18 is the time known by the OS before the crash. 07:35 is the OS time after it has been reset by the hardware clock. What you appear to have here is : a known time the computer was operating; a hole in the log maybe caused by the block being in the process of being written at the time of the crash; a known time it was working again. You now need to check the other logs for entries between the two and look for debris on the file system with timestamps in that range. From these you may be able to piece together events leading to the crash. I doubt this is really a security issue but you do need to find the cause & fix it. Good luck. John
participants (3)
-
dood -
John Trickey -
ulschn@home