Re: leaky kernel ? ;)

[secure () SECUREAUSTIN COM (H D Moore)]

Heh, thats actually kind of cool.  Anyways, could it be possible that
your net traffic is being diverted to the syslog/udp port?  Maybe
someone is spraying your syslog port for kicks?  Is syslogd running with
remote reception?  Any strange kernel modules?

mIV wrote:
> OK, there's RH 6.1 on 2.2.13. Let's take a look at /var/log/messages:
>
> Dec  2 13:28:48 pentium kernel: age....
> Dec  2 13:28:55 pentium kernel: 65 lated me
> Dec  2 13:28:58 pentium kernel:  6C original
> Dec  2 13:28:58 pentium kernel: ine as
> Dec  2 13:29:07 pentium kernel: age....
> Dec  2 13:29:14 pentium kernel: ge....-
> Dec 11 14:21:46 pentium kernel:  20 ...This
> Dec 11 14:22:49 pentium kernel:  3em te=B
> Dec 11 14:22:53 pentium kernel: 4B , ze ACK
>
> and so on ... Do you know where are these strings from ? I'll tell ya.
> It's all from my mail fetched by fetchmail (via PPP). OK, these were
> strings but we have also sth like this:
>
> Dec 13 22:24:38 pentium kernel: 40 21 4C BB F4 6F 5F DD @!L..o_.
> Dec 13 22:24:39 pentium kernel: C4 41 74 3F BD 54 47 B9 .At?.TG.
>
> These in turn look like some kind of binary dump. Apparently not only mail
> fragments land in my logs. It seems that entire net traffic is affected.
> There's no need for sniffer in this case ;)
>
> That's not good when some net packets are dumped to system logs, is it ?
> Is it a bug ? If so, is it known to kernel developers ?
>
> greetz,
> ______________________________________________________
>                               mIV
>                     email:marcel () linux com pl, m () sh pl
> "When freedom is outlawed, only outlaws will be free."
> ------------------------------------------------------