From scandog at maceeliason.com  Tue Jun 13 17:30:28 2006
From: scandog at maceeliason.com (scandog)
Date: Tue, 13 Jun 2006 10:30:28 -0700
Subject: [tinysofa-discuss] Perl 99% cpu
Message-ID: <448EF634.5030905@maceeliason.com>

Hi,

I have been getting quite a few hits lately on one of my websites, It is 
a mambo website.  I noticed on Sat that accessing the server was down to 
a crawl.  I finally had to shut it off and restart it.  Today I noticed 
similar problems but not as bad.  I ssh into it and ran top and found 
that perl was using 99.9% cpu cycles.

I don't think I have anything that uses perl that I am aware of.  I 
killed the proccess and things are working fine.

How can I tell if I am being hacked?

I am running tinysofa 2 enterprise. I have tried to do a apt-get update 
but it goes through and then says I need to run it again.

I installed and ran chkrootkit and it says that is fine.

Thanks for any help.


From joseparrella at cantv.net  Tue Jun 13 17:20:12 2006
From: joseparrella at cantv.net (Jose Parrella)
Date: Tue, 13 Jun 2006 13:20:12 -0400
Subject: [tinysofa-discuss] Perl 99% cpu
In-Reply-To: <448EF634.5030905@maceeliason.com>
References: <448EF634.5030905@maceeliason.com>
Message-ID: <20060613132012.365780c2@localhost.localdomain>

On Tue, 13 Jun 2006 10:30:28 -0700
scandog <scandog at maceeliason.com> wrote:

> How can I tell if I am being hacked?

What is running on port 80 TCP? Is something connecting to ports 6667
TCP from your machine? Use ps aux, netstat -vatun, lsof and fuser to get
information about this.

Instead of chkrootkit, I would rather use rkhunter, but I don't know if
it's available through apt-get in TinySofa. Download sources and proceed
accordingly.

Most likely there will be other OS applications you can use to check if
the running binaries MD5 checksums match the one in the local database
(if they are not corrupted)

You can also check the common utilities like ls, cp, mv with file (file
`which ls`) which will report broken binaries if you have been
root-kitted. These are just some very basic indicators. Please expect
more replies on this topic.

Jose


From 992571 at gmx.de  Thu Jun 15 11:17:12 2006
From: 992571 at gmx.de (Benni Graf)
Date: Thu, 15 Jun 2006 13:17:12 +0200
Subject: [tinysofa-discuss] Lot of logfiles in var/log worries me
Message-ID: <449141B8.5070109@gmx.de>

Hi there!

I just recognized that in my /var/log-dir there are more than 20.000 
files called log.*, where * is an ip-adress (nearly 20.000 times) or 
an more or less random string, from some names ('billgates, i.e. ;-) ) 
to totally random strings like '2j9x3qod2bm8ghd'...

Nearly the half of these files are empty (0b), the other half are some 
bytes big (less than 1k). And some files are even bigger (up to 50kb) 
- but only about 150 or so. Some of these big ones have names of hosts 
in there names (i.e. log.jonny or log.belinda, where jonny and belinda 
are hosts in my network). Some other are called like deamons (found 
exactly two: log.smbd and log.nmdb). Of these bigger files, there also 
seems to be some kind of log-rotations, as there are also files called 
log.jonny.old and so on...

I don't really worry about these bigger files, allthough I don't know 
where they come from. But I'm really curious about all these little 
files, as I don't want them to turn my var/log-dir into an trash-dir...

The content of those small files are always after a specific scheme:

[2005/11/27 18:04:34, 1] libsmb/clispnego.c:parse_negTokenTarg(251)
   Failed to parse negTokenTarg at offset 21


It appears that they are logmessages of the smbd, so I switched the 
logging of samba of, allthough most of the files were created in 
2005... ;-).


But anyway, where do this files come from? And how can I delete them now?
For Example rm log.84.* doesn't work (/bin/rm: Argument list too long)
I also tried 'ls | grep log.84 > rm', which should delete every file 
'step by step', but it didn't work.

Any Ideas?


Greetings,

Benni Graf.


From morten at nilsen.com  Thu Jun 15 11:29:43 2006
From: morten at nilsen.com (Morten Nilsen)
Date: Thu, 15 Jun 2006 13:29:43 +0200
Subject: [tinysofa-discuss] Lot of logfiles in var/log worries me
In-Reply-To: <449141B8.5070109@gmx.de>
References: <449141B8.5070109@gmx.de>
Message-ID: <449144A7.5000308@nilsen.com>

Benni Graf wrote:
> But anyway, where do this files come from? And how can I delete them now?

samba

> For Example rm log.84.* doesn't work (/bin/rm: Argument list too long)
> I also tried 'ls | grep log.84 > rm', which should delete every file 
> 'step by step', but it didn't work.

find .. | xargs rm

-- 
Morten
:wq


From andrew at neep.com.au  Thu Jun 15 14:42:51 2006
From: andrew at neep.com.au (Andrew Shugg)
Date: Thu, 15 Jun 2006 22:42:51 +0800
Subject: [tinysofa-discuss] Lot of logfiles in var/log worries me
In-Reply-To: <449141B8.5070109@gmx.de>
References: <449141B8.5070109@gmx.de>
Message-ID: <20060615144250.GB2162@neep.com.au>

Hi Benni,

> I just recognized that in my /var/log-dir there are more than 20.000 
> files called log.*, where * is an ip-adress (nearly 20.000 times) or 
> an more or less random string, from some names ('billgates, i.e. ;-) ) 
> to totally random strings like '2j9x3qod2bm8ghd'...

As Morten already said: samba.  The 'culprit' is this line in samba's
config file (/etc/samba/smb.conf):

 log file = /var/log/%m.log

Every time Samba receives a connection from another host it creates a
new log file for it - %m expands to the machine name, so a bare IP
address if a lookup fails, otherwise the hostname of the machine.

If you 'mkdir /var/log/samba' and change the above line to

 log file = /var/log/samba/%m.log

you will at least stop getting crud in /var/log.

> It appears that they are logmessages of the smbd, so I switched the 
> logging of samba of, allthough most of the files were created in 
> 2005... ;-).

You should be more concerned about where all the connections are coming
from.  Is this server facing the public Internet?  If so you should
modify Samba to only respond to requests coming from your internal
network, and/or firewall off all unnecessary ports on your public
interface address.

> But anyway, where do this files come from? And how can I delete them now?
> For Example rm log.84.* doesn't work (/bin/rm: Argument list too long)
> I also tried 'ls | grep log.84 > rm', which should delete every file 
> 'step by step', but it didn't work.

Morten's suggestion is dangerous if taken literally.  Try:

  mkdir /var/log/samba && mv /var/log/log.[ns]mbd /var/log/samba/
  find /var/log/ -maxdepth 1 -type f -name 'log.*' -exec rm {} ';'

Andrew S.

-- 
Andrew Shugg <andrew at neep.com.au>                   http://www.neep.com.au/

"Just remember, Mr Fawlty, there's always someone worse off than yourself."
"Is there?  Well I'd like to meet him.  I could do with a good laugh."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.tinysofa.org/pipermail/tinysofa-discuss/attachments/20060615/995fc3bb/attachment.bin