Re: [suse-security] Reasons for a system to freeze?
Sven Michels wrote:
alter ego wrote:
My Linux box (SuSE 7.1, X, harden_suse) did strange things this morning and I wonder if there are some likely explanations or if this could be an attack:
- while opening a large mail (about 245 K) with the Netscape Mail Client, Netscape stopped responding to user input (window was not repainted as well) - I tried switching to an open X-Term, but was not able to move the focus to that window - Switched to another console, logged in and tried killing the netscape process -> console ceased accepting input - Logged in remotely via ssh, which at first worked, but behaved weirdly (keystrokes were not displayed until the next key pressed) - then ssh ceased accepting input as well - switched the box off (Painful) and rebooted and everything worked - checked the log files (also firewall logs - I am behind a corporate FW), but could not find anything
While this might not be a security related problem I'd appreciate any hints/tips/advice from the experts here.
Did you test to open the mail again after the reboot? maybe its some mad code in it? Netscape also has many memleaks .. maybe you've just read the mail on the wrong day for netscape [;)] i would check the mail for some mad code. did you see the load of the maschine?
I have had this happen several (at least 30-40 times over the past 3 weeks) times. It happens with either Netscape (reading mail or viewing a page) or RealPlayer. Nothing ever gets written to the log (or on console 10) to help point out the problem and when I read the e-mail after a rather painful reboot or return to the web page, no problem whatsoever. This rebooting thing was the main reason I stopped using Windows in 1994. I am very interested in solving this problem, but I have no idea where to begin to look. My guess is that this is security related as there is undoubtedly a memory leak somewhere, and where there is a memory leak, there is an exploit waiting to happen. Any help would be greatly appreciated!!!!!! Dave H System: Intel PIII 733 MHz (SMP, but only one processor installed) multiple PCI buses (2) matrox G400 dual head SuSE 7.1 with harden_suse reiser_fs on /, ext2 on /boot netscape6 and realplayer8 also cannot do a ps after netscape or realplayer hang PS Sorry Sven for sending this straight to you. I had intended to send this to the list. Not enough coffee yet this morning ;^) -- David A. Henderson, M.Sc. G. Cunningham Fellow Interdepartmental Genetics Program Department of Dairy Science 2010 Litton Reaves Hall Virginia Polytechnic Institute and State University Blacksburg, VA 24061 USA Phone: (540)231-4773 Fax: (540)231-5014 mailto://DHenders@VT.Edu http://www.dasc.vt.edu/henderson/dhenderson.html
Guys, your problem descriptions lack a simple detail: The kernel version.
Sven Michels wrote:
alter ego wrote:
My Linux box (SuSE 7.1, X, harden_suse) did strange things this morning and I wonder if there are some likely explanations or if this could be an attack:
- while opening a large mail (about 245 K) with the Netscape Mail Client, Netscape stopped responding to user input (window was not repainted as well) - I tried switching to an open X-Term, but was not able to move the focus to that window - Switched to another console, logged in and tried killing the netscape process -> console ceased accepting input - Logged in remotely via ssh, which at first worked, but behaved weirdly (keystrokes were not displayed until the next key pressed) - then ssh ceased accepting input as well - switched the box off (Painful) and rebooted and everything worked - checked the log files (also firewall logs - I am behind a corporate FW), but could not find anything
While this might not be a security related problem I'd appreciate any hints/tips/advice from the experts here.
Did you test to open the mail again after the reboot? maybe its some mad code in it? Netscape also has many memleaks .. maybe you've just read the mail on the wrong day for netscape [;)] i would check the mail for some mad code. did you see the load of the maschine?
I have had this happen several (at least 30-40 times over the past 3 weeks) times. It happens with either Netscape (reading mail or viewing a page) or RealPlayer. Nothing ever gets written to the log (or on console 10) to help point out the problem and when I read the e-mail after a rather painful reboot or return to the web page, no problem whatsoever. This rebooting thing was the main reason I stopped using Windows in 1994. I am very interested in solving this problem, but I have no idea where to begin to look. My guess is that this is security related as there is undoubtedly a memory leak somewhere, and where there is a memory leak, there is an exploit waiting to happen.
Any help would be greatly appreciated!!!!!!
Dave H
System: Intel PIII 733 MHz (SMP, but only one processor installed) multiple PCI buses (2) matrox G400 dual head SuSE 7.1 with harden_suse reiser_fs on /, ext2 on /boot netscape6 and realplayer8 also cannot do a ps after netscape or realplayer hang
PS Sorry Sven for sending this straight to you. I had intended to send this to the list. Not enough coffee yet this morning ;^)
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Roman Drahtmueller wrote:
Guys, your problem descriptions lack a simple detail: The kernel version.
2.4.0-64GB-SMP I cannot use the 2.2.18 kernel since I have multiple PCI buses. I have tried using the 2.4.3 kernel from the SuSE source, but I have not had the time to fix the other issues (usbmgr, audio, etc...). Thanks and sorry!! Dave H -- David A. Henderson, M.Sc. G. Cunningham Fellow Interdepartmental Genetics Program Department of Dairy Science 2010 Litton Reaves Hall Virginia Polytechnic Institute and State University Blacksburg, VA 24061 USA Phone: (540)231-4773 Fax: (540)231-5014 mailto://DHenders@VT.Edu http://www.dasc.vt.edu/henderson/dhenderson.html
Guys, your problem descriptions lack a simple detail: The kernel version.
2.4.0-64GB-SMP
If anybody gets mails multiple times, please send all copies to draht@suse.de, including _all_ header lines that you have. Please try to compile ftp.suse.com/pub/people/mantel/next/linux-2.4.3.SuSE-7.tgz . This is the most recent kernel in our row, and it runs quite stable so far. As far as this kernel issue is concerned, I'm afraid to say that it's not a security issue any more, except for the bugs in 2.2.18- and the packetfilter bug in 2.4.2.
I cannot use the 2.2.18 kernel since I have multiple PCI buses. I have tried using the 2.4.3 kernel from the SuSE source, but I have not had the time to fix the other issues (usbmgr, audio, etc...). Thanks and sorry!!
Dave H
Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
Please try to compile ftp.suse.com/pub/people/mantel/next/linux-2.4.3.SuSE-7.tgz . This is the most recent kernel in our row, and it runs quite stable so far.
As far as this kernel issue is concerned, I'm afraid to say that it's not a security issue any more, except for the bugs in 2.2.18- and the packetfilter bug in 2.4.2.
While we're on the subject: I noticed a 2.2.19 kernel in there as well. I assume that one includes all the SuSE patches? Can we use it or are there still some issues with it (since it's not in the update section yet) Stefan
While we're on the subject: I noticed a 2.2.19 kernel in there as well. I assume that one includes all the SuSE patches? Can we use it or are there still some issues with it (since it's not in the update section yet)
Use that one, yes. There's also the patch provided with it (the one we apply against vanilla), lying in the same directory.
Stefan
Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
David Henderson wrote:
[Problem] maybe some ulimits or something like that are set to hard?
PS Sorry Sven for sending this straight to you. I had intended to send this to the list. Not enough coffee yet this morning ;^) No prob ;) today we're all tired ;) maybe the listadmin should set a default reply-to to the mailinglist? i've the same problem sometimes ;)
-- Mit freundlichen Gruessen / best regards, Sven Michels Network Operating Center / Infrastructure ----------------------------------------- intraDAT AG Wilhelm Leuschner Strasse 7 u. 9-11 60329 Frankfurt / Germany Tel: +49 69 256 29 - 0 Fax: +49 69 256 29 - 256 http://www.intradat.com -----------------------------------------
participants (4)
-
David Henderson -
Roman Drahtmueller -
Stefan Suurmeijer -
Sven Michels