| 1 |
Hi! |
| 2 |
|
| 3 |
Can you please explain to me what these records in my logs mean? |
| 4 |
|
| 5 |
2008-09-27_11:35:55.93144 kern.alert: grsec: From 78.53.3.223: denied |
| 6 |
resource overstep by requesting 180883456 for RLIMIT_STACK against limit |
| 7 |
8388608 for /bin/cat[cat:10111] uid/euid:81/81 gid/egid:81/81, parent |
| 8 |
/usr/sbin/apache2[apache2:21930] uid/euid:81/81 gid/egid:81/81 |
| 9 |
|
| 10 |
2008-09-27_12:08:17.12634 kern.alert: grsec: denied resource overstep by |
| 11 |
requesting 187367424 for RLIMIT_STACK against limit 8388608 for |
| 12 |
/var/qmail/bin/qmail-local[qmail-local:22538] uid/euid:1000/1000 |
| 13 |
gid/egid:100/100, parent /var/qmail/bin/qmail-local[qmail-local:22535] |
| 14 |
uid/euid:1000/1000 gid/egid:100/100 |
| 15 |
|
| 16 |
For example, first record may be result of malicious http request sent |
| 17 |
from 78.53.3.223 to my apache... but I've no idea why /bin/cat was called |
| 18 |
(I don't aware about cgi scripts on my server which will call /bin/cat) |
| 19 |
and what went wrong with it. I'm not sure how this guess is correct... |
| 20 |
|
| 21 |
Second is even more strange, because qmail-local was called by |
| 22 |
qmail-local, there no "From IP" part in this record, so it looks like some |
| 23 |
internal error on my server... but I never notice any troubles with qmail, |
| 24 |
mail works ok and there no error in qmail log. Actually, here are records |
| 25 |
from qmail log related to same time: |
| 26 |
|
| 27 |
2008-09-27_12:08:17.07092 new msg 662104 |
| 28 |
2008-09-27_12:08:17.07093 info msg 662104: bytes 2912 from |
| 29 |
<gentoo-hardened+bounces-2147-powerman=powerman.asdfgroup.com@l.g.o> |
| 30 |
qp 22534 uid 201 |
| 31 |
2008-09-27_12:08:17.07403 starting delivery 5800: msg 662104 to local |
| 32 |
powerman@××××××××××××××××××.com |
| 33 |
2008-09-27_12:08:17.07404 status: local 1/10 remote 0/20 |
| 34 |
2008-09-27_12:08:17.14903 delivery 5800: success: did_1+0+0/did_0+0+2/ |
| 35 |
2008-09-27_12:08:17.14905 status: local 0/10 remote 0/20 |
| 36 |
2008-09-27_12:08:17.14905 end msg 662104 |
| 37 |
|
| 38 |
As you see, it was incoming email from this maillist, which was delivered |
| 39 |
without issues... so it wasn't some malicious spam message which trying to |
| 40 |
crash my qmail. I've no idea why grsec complain in logs about it. |
| 41 |
|
| 42 |
I've a lot of such records - about 5 new records every hour in average. |
| 43 |
I've checked all combinations of "for /..., parent /...": |
| 44 |
|
| 45 |
# grep RLIMIT_STACK /var/log/kernel/all/{@*,current} | |
| 46 |
perl -pe 's/.* (for \/[^:]*).* (parent \/[^:]*).*/$1] $2]/' | sort | uniq -c |
| 47 |
303 for /bin/bash[sh] parent /bin/bash[sh] |
| 48 |
277 for /bin/cat[cat] parent /usr/sbin/apache2[apache2] |
| 49 |
17 for /bin/su[su] parent /usr/bin/runsv[runsv] |
| 50 |
1 for /[chpst] parent /bin/bash[sh] |
| 51 |
1 for /[egrep] parent /bin/bash[sh] |
| 52 |
1 for /[ifconfig] parent /bin/bash[sh] |
| 53 |
8 for /[sh] parent /usr/sbin/crond[crond] |
| 54 |
341 for /var/qmail/bin/qmail-local[qmail-local] parent /var/qmail/bin/qmail-local[qmail-local] |
| 55 |
|
| 56 |
-- |
| 57 |
WBR, Alex. |
Archives