Linux file locking - sigprocmask() issues
From: Trent Lloyd (lathiat_at_bur.st)
Date: 04/19/04
- Previous message: mgotts_at_2roads.com: "Re: Strange set of TCP ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Apr 2004 03:35:46 +0800 To: INCIDENTS@SECURITYFOCUS.COM
Hi Guys,
Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux
servers decided to have locking problems, after messing around for a bit
I discovered looking at an strace of 'dotlockfile' that it was spinning
on sigprocmask, which jogged my memory of the DoS that was posted to
bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask).
I tried the DoS on my local machine and found the same symptoms, so
we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes,
but then both machines started doing it. - anyone know if this DoS was
fixed in 2.4.26?
At first I had suspected a DoS but after extensive searching of peoples
homedirs/logs I couldn't find any evidence, and when it started on the
second server after the upgrade, no users had logged in, and there were
no @reboot cron entries.
I cannot seem to figure out how to stop this happening, or if its
malicious, we havent' had the problem til now - the only thing I can
think of is its being triggered by NFS (note tho that the locking fails
on both NFS and local filesystems when its broken) - the NFS goes under
fairly high load but it has worked flawlessly forever, since we first
started using our servers in a similar setup in 1998 (although numerous
reinstalls and hardware changes have happened recently, none of them
recent).
I'm at a loss as to whats causing it or how to fix, has anyone had this
problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel,
2.4.24-grsec1 did the same, and I can't find any visible exploits by users as
mentioned above, have I missed something? Perhaps it is a remotely
triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot),
dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS.
Cheers,
Trent
Technical Staff, Bur.st Networking Inc.
-- Need advertising? Want to reach your consumer? For just $200 you can have your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: mgotts_at_2roads.com: "Re: Strange set of TCP ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
