centos 5.1 odd kernel segfaults

Discussion in 'Server Operation' started by craig baker, Jul 7, 2008.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I've noticed my log contains lines like these - any bright ideas as to what
    might be happening? or how to diagnose?
    the following block btw is ALL the lines from messages - I'm not editing anything out in the time span noted.
    thanks - cdb.

    ------------------------------------------
    Jul 6 15:50:43 ns5 kernel: s[21236]: segfault at 0000000000177001 rip 0000000008061da8 rsp 00000000ffa88550 error 4
    Jul 6 19:00:26 ns5 kernel: s[22842]: segfault at 0000000074736146 rip 0000000074736146 rsp 00000000ffef429c error 14
    Jul 6 19:21:27 ns5 kernel: s[23000]: segfault at 0000000000000001 rip 0000000008067505 rsp 00000000ff9d3d7c error 4
    Jul 6 20:10:36 ns5 kernel: s[23418]: segfault at 0000000008007500 rip 0000000008007500 rsp 00000000ffe431ec error 14
    Jul 6 21:33:26 ns5 kernel: s[24076]: segfault at 0000000000000001 rip 0000000008067505 rsp 00000000ffdf699c error 4
    Jul 6 21:42:29 ns5 kernel: s[24147]: segfault at 0000000008007500 rip 0000000008007500 rsp 00000000ffb04eac error 14
    Jul 7 03:50:43 ns5 kernel: s[26734]: segfault at 0000000000177001 rip 0000000008061da8 rsp 00000000ff857320 error 4
    Jul 7 05:09:39 ns5 kernel: s[27883]: segfault at 00000000083e6f72 rip 0000000008061da8 rsp 00000000fff121e0 error 4
    Jul 7 07:00:27 ns5 kernel: s[28649]: segfault at 0000000074736146 rip 0000000074736146 rsp 00000000ffe319dc error 14
    Jul 7 07:21:28 ns5 kernel: s[28794]: segfault at 00000000082056c1 rip 0000000008061da8 rsp 00000000fff139e0 error 4
    Jul 7 08:10:37 ns5 kernel: s[29160]: segfault at 0000000008007500 rip 0000000008007500 rsp 00000000ff9bfd6c error 14
    Jul 7 09:33:28 ns5 kernel: s[29771]: segfault at 0000000000000001 rip 0000000008067505 rsp 00000000ffe0b9bc error 4
    --------------------------

    also, there are obvious attempts to hack into my server:
    Jun 17 11:29:09 ns5 proftpd[4693]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - no such user 'Administrator'
    Jun 17 11:29:16 ns5 proftpd[4699]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - FTP session opened.
    Jun 17 11:29:16 ns5 proftpd[4699]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - no such user 'Administrator'
    Jun 17 11:29:22 ns5 proftpd[4700]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - FTP session opened.
    Jun 17 11:29:23 ns5 proftpd[4700]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - no such user 'Administrator'
    Jun 17 11:29:29 ns5 proftpd[4701]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - FTP session opened.
    Jun 17 11:29:29 ns5 proftpd[4701]: ns5.cdbsystems.com (fwgw.osaka.seikyou.ne.jp[61.202.156.253]) - no such user 'Administrator'

    Jun 20 21:19:29 ns5 proftpd[2249]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - no such user 'ellie'
    Jun 20 21:19:30 ns5 proftpd[2250]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - FTP session opened.
    Jun 20 21:19:31 ns5 proftpd[2250]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - no such user 'ellie'
    Jun 20 21:19:33 ns5 proftpd[2251]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - FTP session opened.
    Jun 20 21:19:33 ns5 proftpd[2251]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - no such user 'ellie'
    Jun 20 21:19:35 ns5 proftpd[2252]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - FTP session opened.
    Jun 20 21:19:36 ns5 proftpd[2252]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - no such user 'ellie'
    Jun 20 21:19:37 ns5 proftpd[2253]: ns5.cdbsystems.com (202.63.115.229[202.63.115.229]) - FTP session opened.

    any easy way to consign these folks to the Hell of the Burning Hackers?
    and maybe take load off the system?
    I assume I could have the router block the specific ips, but those could be faked I'm sure.

    thanks again.
    cdb.
     
    Last edited: Jul 7, 2008
  2. falko

    falko Super Moderator ISPConfig Developer

    You can stop the brute-force attacks with fail2ban.
     

Share This Page