I have been using Slack 9.0 for several months and I am loving it.

A problem seem to have developed. Past couple weeks After having the PC on
for 2 or 3 days sometimes everything slows down to a crawl. I have 384 MB
RAM and usually about 200 MB is cached. Swap is rarely used. Top does not
show any processes stealing CPU cycle. Funny thing is also that Cable Modem
gets out of wack too and No transmission is made. Only the top 2 LEDs would
be lit and I would have to reset the modem and restart.

I checked /var/log/messages and surprisingly it was empty, wierd.

Is it that no transmission in cable modem slows down everything in Slack? or
slack causing the slow down and Modem problems? Which is more likely? I am
suspecting the Modem to cause this.

What should I check? why nothing in /var/log/messages? How should I go about
finding out what's going on? It is very embarrasing this to happen while
chatting online and people realizing that I have a problem with my supposed
Solid Hard Rock Industrial strenght Slack Box. Should I call My ISP?
Earthlink through Time Warner?

Thanks for any hints. This group has been good to me before.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SuperDeamon <INVALID@INVALID.com> is thought to have
typed the following text on 2003-09-24:
>
> I have been using Slack 9.0 for several months and I am loving it.
>
> A problem seem to have developed. Past couple weeks After having the PC on
> for 2 or 3 days sometimes everything slows down to a crawl. I have 384 MB
> RAM and usually about 200 MB is cached. Swap is rarely used. Top does not
> show any processes stealing CPU cycle. Funny thing is also that Cable Modem
> gets out of wack too and No transmission is made. Only the top 2 LEDs would
> be lit and I would have to reset the modem and restart.
>
> I checked /var/log/messages and surprisingly it was empty, wierd.
>
That's definatly weird, didn't it even contain an entry like:

Sep 21 04:40:02 Lappie syslogd 1.4.1: restart.

If that's not in there, someone (or some program) has emptied that log.
Are you running a firewall? Have you disabled all unused services?

If you can't think of program that did that (certainly not a program
included with slack), you've system has probably been cracked.

> Is it that no transmission in cable modem slows down everything in Slack? or
> slack causing the slow down and Modem problems? Which is more likely? I am
> suspecting the Modem to cause this.
>
I'm suspecting a human. I doubt your modem could slow anything not
network-related down.

> What should I check? why nothing in /var/log/messages? How should I go about
> finding out what's going on? It is very embarrasing this to happen while
> chatting online and people realizing that I have a problem with my supposed
> Solid Hard Rock Industrial strenght Slack Box. Should I call My ISP?
> Earthlink through Time Warner?
>
> Thanks for any hints. This group has been good to me before.

First try to figure out what has happened, we've had threads about
pc\s being cracked before. google for them.

You might start by downloading chkrootkit.

If you indeed have been cracked I'd suggest you backup your data (only
documents! not programs), reinstall, tighten your system security.
firewall, disabling of unused services and whatever else you can think
of, and only then reconnect it to the network.

- --
Bartosz Oudekerk

Play Rogue, visit exotic locations, meet strange creatures
and kill them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/cear256ZyNYAOpkRAogJAJsGWxjT8+UmGA2ZhyY84GHOQpViUg CghPa8
sQhA+enRegzv2vHPxra3W78=
=N3e5
-----END PGP SIGNATURE-----

Bartosz Oudekerk wrote:

> tighten your system security.
> firewall, disabling of unused services and whatever else you can think
> of, and only then reconnect it to the network.
>

Thanks.

yes I am runing a firewall (i.e. firestarter). I regulary check with
Shieldsup security web page. There from from 1055 or so ports only ports 67
and 68 (bootstrap protocole server/client ports)show up as closed. The rest
of the ports show as stealth and seem silent. I thought I was fine, maybe
not.

I think I did not install any ftp, sendmail, etc software/services (that I
did not think I would need) at install time. However I see NFS being loaded
at boot time. How Could I disable that? Do not seem to need it.

I'll check chkrootkit to check why /var/log/messages is empty meanwhile.

It would be too much work to backup and reinstall. I am trying to avoid that
If I can because then I would have to recompile/reinstall my nonstandard
Libray files and programms, the kernel, NVIDIA drivers, etc.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SuperDeamon <INVALID@INVALID.com> is thought to have
typed the following text on 2003-09-24:

> Bartosz Oudekerk wrote:
>
>> tighten your system security.
>> firewall, disabling of unused services and whatever else you can think
>> of, and only then reconnect it to the network.
>>
> Thanks.
>
> yes I am runing a firewall (i.e. firestarter). I regulary check with
> Shieldsup security web page. There from from 1055 or so ports only ports 67
> and 68 (bootstrap protocole server/client ports)show up as closed. The rest
> of the ports show as stealth and seem silent. I thought I was fine, maybe
> not.
>
Strange. I don't know firestarter, I used to use
<URL:http://scan.sygatetech.com> to check my firewall before I had
nmap and nessus at work. Run all their test in the order they're listed
if you want to be sure.

> I think I did not install any ftp, sendmail, etc software/services (that I
> did not think I would need) at install time. However I see NFS being loaded
> at boot time. How Could I disable that? Do not seem to need it.
>
you should also disable the stuff in /etc/inetd.conf, it won't hurt to
do so, even if you don't even have that particular service installed.

> I'll check chkrootkit to check why /var/log/messages is empty meanwhile.
>
It'll check for trojans, it won't tell you why /var/log/messages is
empty. Be warned that it gives at least one false positive with
slackware 9.0, search groups.google for that one.

If a logfile is empty, it usually means somebody emptied it. The only
reason I could think of to empty a logfile would be to erase tracks
(i.e. a cracker), although I'd only erase the relevant lines, but if
he was in a hurry....

> It would be too much work to backup and reinstall. I am trying to avoid that
> If I can because then I would have to recompile/reinstall my nonstandard
> Libray files and programms, the kernel, NVIDIA drivers, etc.

If you've really been cracked, that is the best approach to make sure
there aren't any trojans left behind, it's your choice. The NVIDIA
drivers aren't that hard (at least not with the old system, don't know
about the new one). You could backup your .config also, that should
make the kernel compile easy. Just put the .config in the new source,
run 'make oldconfig' and you're ready to compile.

- --
Bartosz Oudekerk

Play Rogue, visit exotic locations, meet strange creatures
and kill them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/cf9U256ZyNYAOpkRAkf6AJ9qDDx2DSFVu8Sv4CXvlrH5oz2uKQ CfeCbu
riYwrAbvhkHmls9ZFJxTvlk=
=Gve5
-----END PGP SIGNATURE-----

Bartosz Oudekerk wrote:

> you should also disable the stuff in /etc/inetd.conf

funny; no such file I could find, whoops I guess.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SuperDeamon <INVALID@INVALID.com> is thought to have
typed the following text on 2003-09-24:

> Bartosz Oudekerk wrote:
>
>> you should also disable the stuff in /etc/inetd.conf
>
> funny; no such file I could find, whoops I guess.

That depends if you installed it or not, check /var/log/packages, most
systems have it, only you know if you have a need for it.

Please answer my question, was /var/log/messages 0 bytes or did it have
the restart line in it?

check your /etc/passwd for users you don't know.

- --
Bartosz Oudekerk

Play Rogue, visit exotic locations, meet strange creatures
and kill them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/cgiC256ZyNYAOpkRAin8AJ9MD5oXO1TIzRvMb/oDsMm9jfEjEQCfX//5
QYnlYJ0oed/RZ3FB3rmVnNw=
=E6Xd
-----END PGP SIGNATURE-----

Bartosz Oudekerk wrote:

> Please answer my question, was /var/log/messages 0 bytes or did it have
> the restart line in it?
>

It is zero bytes; there are also some cron files listed as zero bytes

also I've been good and never played in root;

below is a list of my files in /var/log/, and my password file (seem to be
ok);


me@local:~$ ls -al /var/log/
total 626
drwxr-xr-x 8 root root 1504 Sep 24 15:46 ./
drwxr-xr-x 11 root root 336 Mar 2 2003 ../
-rw-r--r-- 1 root root 37693 Sep 24 17:36 XFree86.0.log
-rw-r--r-- 1 root root 40203 Sep 24 14:24 XFree86.0.log.old
-rw-r--r-- 1 root root 15565 Jul 14 12:57 XFree86.8.log
-rw-r--r-- 1 root root 22346 Jul 14 12:57 XFree86.8.log.old
-rw-r----- 1 root root 0 Sep 21 04:40 cron
-rw-r----- 1 root root 0 Sep 14 04:40 cron.1
-rw-r----- 1 root root 0 Sep 7 04:40 cron.2
-rw-r----- 1 root root 0 Aug 31 04:40 cron.3
-rw-r----- 1 root root 0 Aug 24 04:40 cron.4
-rw-r----- 1 root root 0 Sep 21 04:40 debug
-rw-r----- 1 root root 0 Sep 14 04:40 debug.1
-rw-r----- 1 root root 0 Sep 7 04:40 debug.2
-rw-r----- 1 root root 0 Aug 31 04:40 debug.3
-rw-r----- 1 root root 0 Sep 20 23:03 debug.4
-rw-r----- 1 root root 0 Sep 20 23:03 faillog
drwxr-xr-x 2 root root 48 Mar 15 2003 iptraf/
-rw-r--r-- 1 root root 52398 Sep 24 15:47 kdm.log
-rw-r--r-- 1 root root 292876 Sep 24 15:47 lastlog
-rw-r----- 1 root root 0 Sep 21 04:40 maillog
-rw-r----- 1 root root 0 Sep 14 04:40 maillog.1
-rw-r----- 1 root root 0 Sep 7 04:40 maillog.2
-rw-r----- 1 root root 0 Aug 31 04:40 maillog.3
-rw-r----- 1 root root 0 Aug 24 04:40 maillog.4
****-rw-r----- 1 root root 0 Sep 21 04:40 messages *******
-rw-r----- 1 root root 0 Sep 14 04:40 messages.1
-rw-r----- 1 root root 0 Sep 7 04:40 messages.2
-rw-r----- 1 root root 0 Aug 31 04:40 messages.3
-rw-r----- 1 root root 0 Sep 20 23:02 messages.4
-rw-r--r-- 1 root root 4544 Jul 20 01:41 nvidia-installer.log
drwxr-xr-x 2 root root 13072 Aug 27 05:21 packages/
drwxr-xr-x 2 root root 416 Aug 25 00:44 removed_packages/
drwxr-xr-x 2 root root 312 Aug 25 00:44 removed_scripts/
drwxr-xr-x 2 root root 9168 Aug 25 00:44 scripts/
-rw-r--r-- 1 root root 12807 Jul 11 08:33 scrollkeeper.log
-rw-r----- 1 root root 0 Sep 21 04:40 secure
-rw-r----- 1 root root 0 Sep 14 04:40 secure.1
-rw-r----- 1 root root 0 Sep 7 04:40 secure.2
-rw-r----- 1 root root 0 Aug 31 04:40 secure.3
-rw-r----- 1 root root 3211 Aug 28 22:02 secure.4
drwxr-xr-x 3 root root 496 Mar 2 2003 setup/
-rw-r----- 1 root root 0 Sep 21 04:40 spooler
-rw-r----- 1 root root 0 Sep 14 04:40 spooler.1
-rw-r----- 1 root root 0 Sep 7 04:40 spooler.2
-rw-r----- 1 root root 0 Aug 31 04:40 spooler.3
-rw-r----- 1 root root 0 Aug 24 04:40 spooler.4
-rw-r----- 1 root root 0 Sep 21 04:40 syslog
-rw-r----- 1 root root 0 Sep 14 04:40 syslog.1
-rw-r----- 1 root root 0 Sep 7 04:40 syslog.2
-rw-r----- 1 root root 0 Aug 31 04:40 syslog.3
-rw-r----- 1 root root 0 Sep 20 23:05 syslog.4
-rw-rw-r-- 1 root root 170496 Sep 24 15:47 wtmp
-rw-rw-r-- 1 root root 224640 Sep 1 06:47 wtmp.1
-rw-r--r-- 1 root root 429 Jul 22 03:24 xdm.log


me@local:~$ less /etc/passwd (me and me2 are both me)
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0perator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
me2:x:1002:100::/home/me2:/bin/bash
me:x:1001:100::/home/me:/bin/bash

SuperDeamon wrote:
>
> It is zero bytes; there are also some cron files listed as zero bytes
> also I've been good and never played in root;
>
> below is a list of my files in /var/log/, and my password file (seem to be
> ok);
>
> me@local:~$ ls -al /var/log/
> total 626
--snip xfree logs--
> -rw-r----- 1 root root 0 Sep 21 04:40 cron
> -rw-r----- 1 root root 0 Sep 14 04:40 cron.1
> -rw-r----- 1 root root 0 Sep 7 04:40 cron.2
> -rw-r----- 1 root root 0 Aug 31 04:40 cron.3
> -rw-r----- 1 root root 0 Aug 24 04:40 cron.4
> -rw-r----- 1 root root 0 Sep 21 04:40 debug
> -rw-r----- 1 root root 0 Sep 14 04:40 debug.1
> -rw-r----- 1 root root 0 Sep 7 04:40 debug.2
> -rw-r----- 1 root root 0 Aug 31 04:40 debug.3
> -rw-r----- 1 root root 0 Sep 20 23:03 debug.4
> -rw-r----- 1 root root 0 Sep 20 23:03 faillog
> drwxr-xr-x 2 root root 48 Mar 15 2003 iptraf/
> -rw-r--r-- 1 root root 52398 Sep 24 15:47 kdm.log
> -rw-r--r-- 1 root root 292876 Sep 24 15:47 lastlog
> -rw-r----- 1 root root 0 Sep 21 04:40 maillog
> -rw-r----- 1 root root 0 Sep 14 04:40 maillog.1
> -rw-r----- 1 root root 0 Sep 7 04:40 maillog.2
> -rw-r----- 1 root root 0 Aug 31 04:40 maillog.3
> -rw-r----- 1 root root 0 Aug 24 04:40 maillog.4
> ****-rw-r----- 1 root root 0 Sep 21 04:40 messages *******
> -rw-r----- 1 root root 0 Sep 14 04:40 messages.1
> -rw-r----- 1 root root 0 Sep 7 04:40 messages.2
> -rw-r----- 1 root root 0 Aug 31 04:40 messages.3
> -rw-r----- 1 root root 0 Sep 20 23:02 messages.4
> -rw-r--r-- 1 root root 4544 Jul 20 01:41 nvidia-installer.log
> drwxr-xr-x 2 root root 13072 Aug 27 05:21 packages/
> drwxr-xr-x 2 root root 416 Aug 25 00:44 removed_packages/
> drwxr-xr-x 2 root root 312 Aug 25 00:44 removed_scripts/
> drwxr-xr-x 2 root root 9168 Aug 25 00:44 scripts/
> -rw-r--r-- 1 root root 12807 Jul 11 08:33 scrollkeeper.log
> -rw-r----- 1 root root 0 Sep 21 04:40 secure
> -rw-r----- 1 root root 0 Sep 14 04:40 secure.1
> -rw-r----- 1 root root 0 Sep 7 04:40 secure.2
> -rw-r----- 1 root root 0 Aug 31 04:40 secure.3
> -rw-r----- 1 root root 3211 Aug 28 22:02 secure.4

Anything in secure.4 by chance?
All those zero'd files doesn't look good.

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3
Uptime: 22:22, 1 user, load average: 0.62, 0.41, 0.31

In article <WXocb.145402$mp.72651@rwcrnsc51.ops.asp.att.net >,
David wrote:
>> -rw-r----- 1 root root 0 Aug 31 04:40 secure.3
>> -rw-r----- 1 root root 3211 Aug 28 22:02 secure.4
>
> Anything in secure.4 by chance?
> All those zero'd files doesn't look good.

I disagree. The times are all 04:40's, so logrotate is working. Looks
like something happened to syslogd (or perhaps rc.syslog) such that it
won't restart. It is definitely possible that there was an innocent
goof-up here, and not a cracker. (I *do* agree that secure.4 is likely
to hold a clue; if nothing else it might narrow the time frame of
syslogd's demise.)

SuperDaemon must find out ASAP *why* syslogd is not running. Yes, do the
chkrootkit still, but don't assume you've been compromised.

That's good advice in general. Yes, when syslogd fails you should take
it seriously and regard it as a possible intrusion. The fact is, there
are thousands of scares for every real compromise. I've had some scares
too, and in each and every incident it turned out innocent (or rather, a
matter of sysadmin ineptitude.)

It sounded like SuperDaemon was running a tight ship: no open services,
possibly a good firewall. So far no objective reason to suspect a root
exploit. Is there any chance of a local or LAN attack? Any potentially
non-trustworthy users behind the firewall? Or, any exposed machine which
might have been a base for a behind-the-firewall attack against you?

I know you (SD) said you didn't "play" as root, but still, just a stray
keystroke could have killed your syslogd. At this point I suspect YOU as
the most likely culprit here.

But don't be embarrassed. Everybody messes up except for gods and liars
(and gods don't need computers.) It's important to follow through on a
thread like this. Let us know what you find out. Good luck.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

/dev/rob0 wrote:

>> Anything in secure.4 by chance?
>> All those zero'd files doesn't look good.
>
> I disagree. The times are all 04:40's, so logrotate is working. Looks
> like something happened to syslogd (or perhaps rc.syslog) such that it
> won't restart. It is definitely possible that there was an innocent
> goof-up here, and not a cracker.

I think you are right. I mean I ran all the tests offered by
http://scan.sygatetech.com and nothing seemed to be funny. I passed all
the tests and scans.


but this is my syslog:

me@local:~$ less /etc/rc.d/rc.syslog
#!/bin/sh
# Start/stop/restart the system logging daemons.
#
# Written for Slackware Linux by Patrick J. Volkerding
<volkerdi@slackware.com>.

syslogd_start() {
if [ -x /usr/sbin/syslogd -a -x /usr/sbin/klogd ]; then
echo -n "Starting sysklogd daemons: "
echo -n " /usr/sbin/syslogd"
/usr/sbin/syslogd
sleep 1 # prevent syslogd/klogd race condition on SMP kernels
echo " /usr/sbin/klogd -c 3 -x"
# '-c 3' = display level 'error' or higher messages on console
# '-x' = turn off broken EIP translation
/usr/sbin/klogd -c 3 -x
fi
}

syslogd_stop() {
killall syslogd 2> /dev/null
killall klogd 2> /dev/null
}

syslogd_restart() {
syslogd_stop
sleep 1
syslogd_start
}

case "$1" in
'start')
syslogd_start
;;
'stop')
syslogd_stop
;;
'restart')




>(I *do* agree that secure.4 is likely
> to hold a clue; if nothing else it might narrow the time frame of
> syslogd's demise.)

Yes You are right. At Aug 28th seems like everything stopped;

here is the last lines of /var/log/secure.4


Aug 27 08:34:25 local su[29782]: - pts/2 me2-root
Aug 27 08:34:36 local su[29783]: + pts/2 me2-root
Aug 27 11:49:39 local su[30466]: + pts/2 me2-root
Aug 28 07:18:03 local su[701]: + pts/1 me2-root
Aug 28 07:18:03 local su[703]: + pts/1 me2-root
Aug 28 07:18:33 local su[1017]: + pts/1 me2-root
Aug 28 07:18:33 local su[1019]: + pts/1 me2-root
Aug 28 07:33:54 local su[1365]: + pts/2 me2-root
Aug 28 14:26:44 local su[2418]: + pts/5 me2-root
Aug 28 14:26:44 local su[2420]: + pts/5 me2-root
Aug 28 21:57:30 local su[3204]: + pts/5 me2-root


>
> SuperDaemon must find out ASAP *why* syslogd is not running. Yes, do the
> chkrootkit still, but don't assume you've been compromised.

> Any potentially non-trustworthy users behind the firewall? Or, any exposed
>machine which might have been a base for a behind-the-firewall attack
>against you?

Not realy. I am the sole user of this machine.

> I know you (SD) said you didn't "play" as root, but still, just a stray
> keystroke could have killed your syslogd. At this point I suspect YOU as
> the most likely culprit here.

I guess so; I have been SUing a lot.


> But don't be embarrassed. Everybody messes up except for gods and liars
> (and gods don't need computers.) It's important to follow through on a
> thread like this. Let us know what you find out. Good luck.

Not at all;


Did someone say say you would learn the most by running Slackware Linux? It
seems to be true.

Yes this is interesting Indeed. I am not embarassed. I'll follow up in a
couple days when andf if I find out more.


Thanks. I knew I could Count on you guys.

Thanks again.