[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] urgent question

Subject: RE: [cobalt-security] urgent question
From: "Peter Baldwin" <peterj@xxxxxxxxxxxxxx>
Date: Tue, 18 Sep 2001 21:19:34 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> usage. I ran "top" and there it was 4-5 httpd ps (/usr/sbin/httpd -f
> /etc/httpd/conf/httpd.confthat) where using all cpu, and some of them had
> been running for 3-4h.

Sounds like something went loopy - this could be a bad CGI script or a
database problem.  If you are developing Tomcat/JSP, this can occur on a
regular basis.

> Looking around in files and folders i found in /var/log/httpd/ a
> LARGE error
> file:
>
> -rw-r--r--   1 root     root     2147 483 647 Sep 18 21:06 error  (almost
> 2000 mb?)

Woah!  Not even that new worm could create such a large file so quickly.  Is
it being rotated?  Do a "tail -n 500 error" to see the last 500 lines.  Do a
"head error" to see when the file was created (RaQs don't have the handy
"stat" command).  Is it being log-rotated properly?  Is someone trying some
kind of denial of service attack?  You are going to see a *lot* hit attempts
from the new worm in this file, but again... I don't think it's the primary
cause.

Pete.
__________________________________________________
Vito - Cobalt Server Appliance Monitor and Manager
http://vito.pointclark.net

References:
- [cobalt-security] urgent question
  - From: Kai r. s., euroweb as

Prev by Date: [cobalt-security] Attempted inside job. A report.
Next by Date: Re: [cobalt-security] OpenSSH on Raq2 help
Previous by thread: [cobalt-security] urgent question
Next by thread: Re: [cobalt-security] urgent question

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index