> Looks like you might have been hacked. I'd also look for other strange
> stuff, ie check your logs for strange things and strange omissions, look
> for recently changed files that you dont know anything about, look for
> anything unusual in ps, netstat, lsof.
>
> If you really want to be safe,
Excerpts from linuxchix: 14-Nov-99 Re: [techtalk] bind problem.. by
Nicole [EMAIL PROTECTED]
> i believe i will nix or move the /tmp/ns and /tmp/cron files... i have
> no idea what they are supposed to do, but i do not trust them
Looks like you might have been hacked. I'd also look for other st
> hmm... no EADDRINUSE or 98 in the whole file
> this is what happens (well an example, the ESPIPE eror is constant):
> 15242 _llseek(0x5, 0, 0, 0xb76c, 0x1) = -1 ESPIPE (Illegal seek)
> 15242 read(5, "bind: Address already in use\n", 4096) = 29
Are you sure you did the -f on strace? Becaus
Jeff Dike wrote:
>
> > Is there something I am missing here? Here's what I have:
> > crond.pid (according to /var/run/crond.pid) is 328
>
> I was trying to be fancy with the "-e trace=network" bit. It looks like the
> interesting system calls aren't captured by "trace=network".
>
> Try this: s
> Is there something I am missing here? Here's what I have:
> crond.pid (according to /var/run/crond.pid) is 328
I was trying to be fancy with the "-e trace=network" bit. It looks like the
interesting system calls aren't captured by "trace=network".
Try this: strace -p -f -o strace.out
Let t
Laurel Fan wrote:
> Tried strings-ing it? anything interesting there?
here's some strings /tmp/ns stuff
beginning:
24.113.101.63
63.192.202.250
socket
bind
recvfrom
%s %s %s
aIf3YWfOhw.V.
PONG
*HELLO*
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$
UFC-crypt, patchlevel 1e, @
Groovy. :o)
Jeff Dike wrote:
>
> > I had it dump it's stats, memstats, and database, but I can't seem to
> > decipher WHAT address "is already in use".
>
> I get a chance to plug one of my favorite utilities...strace :-).
>
> run strace -p -f -e trace=network
>
> and look for something retur
Excerpts from linuxchix: 14-Nov-99 [techtalk] bind problem...a.. by
Nicole [EMAIL PROTECTED]
> I don't know what bind's problem is, but here's what I have on it:
>
> Every one minute, cron runs a job in /tmp (/tmp/ns, the cron listing for
> this job is also in /tmp). Every one minute after cron
> I had it dump it's stats, memstats, and database, but I can't seem to
> decipher WHAT address "is already in use".
I get a chance to plug one of my favorite utilities...strace :-).
run strace -p -f -e trace=network
and look for something returning EADDRINUSE or 98. Then look at the
argume
