Hi all, I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19: Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ [many many more of this] ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ Dec 28 14:34:46 server syslogd 1.3-3: restart. This server is connected to the internet via ADSL and sits behind a Zyxcel Prestige 310 where port 22 is NATed to the server. This is for remote administration - everything else on the Zyxcel is closed to the outside world. Looks to me like a buffer overflow with following crash, but then there is this time gap between the long line of ^@'s and the server restart 09:21 - 14:34 which worries me. I have not reached anyone there so I'll have to wait until next week to find out whether they maybe did a hard-boot or something. last shows: reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48) reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26) Checking the system with chkrootkit gave me only one wierd line: Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and Fri Dec 28 11:56:50 2001 Anyway, I wonderd if anyone has seen something similar yet and if I have to worry. Thanks in advance for your input. Erwin
Hi,
Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ [many many more of this] ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ Dec 28 14:34:46 server syslogd 1.3-3: restart.
Snip
reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48) reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26)
Snip
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
The ^@(ASCII 00)'s are not unusual in a system crash however there are questions to be asked. Start with "what happened to the reboot at 11:56? Why no syslog entry?". Also look for physical causes. Power failure/glitch. Any other equipment affected? HTH John
John Trickey wrote:
Hi,
Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ [many many more of this] ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@ Dec 28 14:34:46 server syslogd 1.3-3: restart.
Snip
reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48) reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26)
Snip
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
The ^@(ASCII 00)'s are not unusual in a system crash however there are questions to be asked. Start with "what happened to the reboot at 11:56? Why no syslog entry?". Also look for physical causes. Power failure/glitch. Any other equipment affected?
HTH John
Problem is that this place is closed and I cannot contact anyone right now. At the moment I tend to think it was a 'normal' system crash i.e. someone hitting the reset button (probably trying to turn on the machine when it was actually running - yes my users do that...). All further investigation so far has not yielded any more suspicious results so I will contact the people on Jan 2nd. Thanks everyone for your input! Erwin
Am Sonntag, 30. Dezember 2001 11:38 schrieb Erwin Zierler - stubainet.at:
Hi all,
I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
I've seen the very same symptoms after system crashes in different log files. The filesystem is reiserfs. I don't know if this has something to do with it. Sometimes there have been kde config files affected the same way, which crashed afterwords KDE, when trying to read them. For me it's for pretty sure, that this is no hack. Joachim -- Joachim Weller Philips Medizinsysteme Boeblingen GmbH Mail: joachim_weller@hsgmed.com Cardiac and Monitoring Systems (CMS) Phone: {+49|0}-7031-463-1891 New Product Engineering Fax: {+49|0}-7031-463-2112 Hewlett-Packard Str. 2, D 71034 Boeblingen -GERMANY-
--- Joachim Weller <joachim_weller@hsgmed.com> wrote:
Am Sonntag, 30. Dezember 2001 11:38 schrieb Erwin Zierler - stubainet.at:
Hi all,
I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
I've seen the very same symptoms after system crashes in different log files. The filesystem is reiserfs. I don't know if this has something to do with it. Sometimes there have been kde config files affected the same way, which crashed afterwords KDE, when trying to read them. For me it's for pretty sure, that this is no hack.
Even worse - it sometimes affect binary files! And then afterwards when you try to execute it, you get "binary format error" or "not ELF-header found" :( Some people told me it's reiserfs, and some others - that it's kernel 2.4.x... Anyone has an idea what can be done against this? Eduard __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Hi Eduard, I've had similar experiences with reiserfs and ever since I've used ext3, wich has never caused any troubles to me. Take a look at it, I'm very satisfied with it. Best regards, Ralf Ronneburger Eduard Avetisyan wrote:
--- Joachim Weller <joachim_weller@hsgmed.com> wrote:
Am Sonntag, 30. Dezember 2001 11:38 schrieb Erwin Zierler - stubainet.at:
Hi all,
I have recently found the following lines in
/var/log/messages on one of
my servers running SuSE 7.0, kernel 2.2.16,
openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
Anyway, I wonderd if anyone has seen something similar yet
and if
I have to worry.
I've seen the very same symptoms after system crashes in different log files. The filesystem is reiserfs. I don't know if this has something to do with it. Sometimes there have been kde config files affected the same way, which crashed afterwords KDE, when trying to read them. For me it's for pretty sure, that this is no hack.
Even worse - it sometimes affect binary files! And then afterwards when you try to execute it, you get "binary format error" or "not ELF-header found" :( Some people told me it's reiserfs, and some others - that it's kernel 2.4.x... Anyone has an idea what can be done against this?
Eduard
__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Am 07.01.02 15:59:54, schrieb Eduard Avetisyan <dich_ed@yahoo.com>:
--- Joachim Weller <joachim_weller@hsgmed.com> wrote:
Am Sonntag, 30. Dezember 2001 11:38 schrieb Erwin Zierler - stubainet.at:
Hi all,
I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
I've seen the very same symptoms after system crashes in different log files. The filesystem is reiserfs. I don't know if this has something to do with it. Sometimes there have been kde config files affected the same way, which crashed afterwords KDE, when trying to read them. For me it's for pretty sure, that this is no hack.
Even worse - it sometimes affect binary files! And then afterwards when you try to execute it, you get "binary format error" or "not ELF-header found" :( Some people told me it's reiserfs, and some others - that it's kernel 2.4.x... Anyone has an idea what can be done against this?
Eduard
i have suse 7.3 PRO and reiserfs too. The problems appears two weeks ago , but the router runs about 2 month ......! greez , jim
I have the same problem on 7.1 ( 2.4.0 ) on a mail server with raid 5 on 4 SCSI disks. It happened with e-mails, messeges and logs. Having this with the e-mails it has been a pain because the users couldn't download the mail from the server. At the beginning i thoght it was the raid (wich isn't true because i have the same configuration on other machines, at list i think so). My friend and i have configured other 2 machines in the same way with suse 7.1 kernell 2.4.0, still the same problem. Recently we have installed the 7.3 and it seems that the problem has disapeared. On the 7.2 i haven't encountered the problem yet. All machines have the filesystem reiserfs. I realy don't know about other distributions, but i realy think is a kernel problem. On 7 Jan 2002 at 14:18, Joachim Weller wrote:
Am Sonntag, 30. Dezember 2001 11:38 schrieb Erwin Zierler - stubainet.at:
Hi all,
I have recently found the following lines in /var/log/messages on one of my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK -- ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^
Anyway, I wonderd if anyone has seen something similar yet and if I have to worry.
I've seen the very same symptoms after system crashes in different log files. The filesystem is reiserfs. I don't know if this has something to do with it. Sometimes there have been kde config files affected the same way, which crashed afterwords KDE, when trying to read them. For me it's for pretty sure, that this is no hack. Joachim -- Joachim Weller
Philips Medizinsysteme Boeblingen GmbH Mail: joachim_weller@hsgmed.com Cardiac and Monitoring Systems (CMS) Phone: {+49|0}-7031-463-1891 New Product Engineering Fax: {+49|0}-7031-463-2112
Hewlett-Packard Str. 2, D 71034 Boeblingen -GERMANY-
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
---------------------- Mario Via Emilia 1 10078 Venaria Reale Tel: 800.991.475 ---------------------- Davide.it è il primo servizio italiano di connessione filtrata alla rete. Veloce, sicuro e gratuito: http://www.davide.it Registrati ora!
Am Montag, 7. Januar 2002 16:45 Marian wrote:
I have the same problem on 7.1 ( 2.4.0 ) on a mail server with raid 5 on 4 SCSI disks. It happened with e-mails, messeges and logs. [...] My friend and i have configured other 2 machines in the same way with suse 7.1 kernell 2.4.0, still the same problem. Recently we have installed the 7.3 and it seems that the problem has disapeared. On the 7.2 i haven't encountered the problem yet.
My machine(s) indeed run SuSE-7.2, but with standard self compiled Kernel (now 2.4.16) on a Dual Pentium-Pro SMP machine. The problem was the same with older Versions of SuSE and older SMP Kernels (2.4), all with reiser filesystems. It mainly occures when I was forced to "Hard-" power off due to system hangs by cutting off Power. I suspect BIOS/PCI/APIC Interrupt-share Problems for the hangs on my old Mainboard hp Vectra XU6/200. During boot I get always: -------------------------------------------------- <4>ENABLING IO-APIC IRQs <3>BIOS bug, IO-APIC#0 ID is 16 in the MPC table!... <3>... fixing up to 0. (tell your hw vendor) <3>BIOS bug, IO-APIC#0 ID 0 is already used!... <3>... fixing up to 2. (tell your hw vendor) <6>...changing IO-APIC physical APIC ID to 2 ... ok. --------------------------------------------------- Luckily this happens pretty seldom, once in a couple of months. Joachim -- Joachim Weller Philips Medizinsysteme Boeblingen GmbH Mail: joachim_weller@hsgmed.com Cardiac and Monitoring Systems (CMS) Phone: {+49|0}-7031-463-1891 New Product Engineering Fax: {+49|0}-7031-463-2112 Hewlett-Packard Str. 2, D 71034 Boeblingen -GERMANY-
On Tuesday 08 January 2002 06:38 am, Joachim Weller wrote:
It mainly occures when I was forced to "Hard-" power off due to system hangs by cutting off Power. I suspect BIOS/PCI/APIC Interrupt-share Problems for the hangs on my old Mainboard hp Vectra XU6/200. During boot I get always:
When it hangs.... You too? I REALLY like Dualies for linux, but of all the boxes I've put up with reiserfs, its only the dual processor boxes that hang. Its not just Suse either, I used to have this one on Turbolinux and moved to Suse cuz I thought Turbo was hanging too much. My single processor boxes never hang. Never!! And some of them are reiserfs too. (Various Distros). I get lot of apic errors, and can't find anything on the web as to what to do about them. I only get them on the dual Celery boxes, not on the dual PII boxes. -- _________________________________ John Andersen / Juneau Alaska
* John Andersen (jsa@pen.homeip.net) [020108 19:45]:
I get lot of apic errors, and can't find anything on the web as to what to do about them. I only get them on the dual Celery boxes, not on the dual PII boxes.
You can always boot with the 'disableapic' option but I'm not sure if something bad will happen on an smp machine. 7.3 has apic enabled by default and it's caused a few problems. But let's get back on topic now... -- -ckm
SuSE personal firewall is for "personal computer" setups that is computers that are not (always) connected to the same LAN. Chrony is to set the time on computers that are only parttime connected to the net. If the computer were connected to the net all the time you would simply use ntp. It seems like the 2 sets intersect. Question: How does a chrony user create a UDP=123 hole for chrony so that it can recieve the time? Thank You. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
participants (10)
-
aliu -
Christopher Mahmood -
Eduard Avetisyan -
Erwin Zierler - stubainet.at -
Joachim Weller -
John Andersen -
John Trickey -
Marian -
Paul Elliott -
Ralf Ronneburger