1 |
Hi! |
2 |
|
3 |
Can you please explain to me what these records in my logs mean? |
4 |
|
5 |
2008-09-27_11:35:55.93144 kern.alert: grsec: From 78.53.3.223: denied |
6 |
resource overstep by requesting 180883456 for RLIMIT_STACK against limit |
7 |
8388608 for /bin/cat[cat:10111] uid/euid:81/81 gid/egid:81/81, parent |
8 |
/usr/sbin/apache2[apache2:21930] uid/euid:81/81 gid/egid:81/81 |
9 |
|
10 |
2008-09-27_12:08:17.12634 kern.alert: grsec: denied resource overstep by |
11 |
requesting 187367424 for RLIMIT_STACK against limit 8388608 for |
12 |
/var/qmail/bin/qmail-local[qmail-local:22538] uid/euid:1000/1000 |
13 |
gid/egid:100/100, parent /var/qmail/bin/qmail-local[qmail-local:22535] |
14 |
uid/euid:1000/1000 gid/egid:100/100 |
15 |
|
16 |
For example, first record may be result of malicious http request sent |
17 |
from 78.53.3.223 to my apache... but I've no idea why /bin/cat was called |
18 |
(I don't aware about cgi scripts on my server which will call /bin/cat) |
19 |
and what went wrong with it. I'm not sure how this guess is correct... |
20 |
|
21 |
Second is even more strange, because qmail-local was called by |
22 |
qmail-local, there no "From IP" part in this record, so it looks like some |
23 |
internal error on my server... but I never notice any troubles with qmail, |
24 |
mail works ok and there no error in qmail log. Actually, here are records |
25 |
from qmail log related to same time: |
26 |
|
27 |
2008-09-27_12:08:17.07092 new msg 662104 |
28 |
2008-09-27_12:08:17.07093 info msg 662104: bytes 2912 from |
29 |
<gentoo-hardened+bounces-2147-powerman=powerman.asdfgroup.com@l.g.o> |
30 |
qp 22534 uid 201 |
31 |
2008-09-27_12:08:17.07403 starting delivery 5800: msg 662104 to local |
32 |
powerman@××××××××××××××××××.com |
33 |
2008-09-27_12:08:17.07404 status: local 1/10 remote 0/20 |
34 |
2008-09-27_12:08:17.14903 delivery 5800: success: did_1+0+0/did_0+0+2/ |
35 |
2008-09-27_12:08:17.14905 status: local 0/10 remote 0/20 |
36 |
2008-09-27_12:08:17.14905 end msg 662104 |
37 |
|
38 |
As you see, it was incoming email from this maillist, which was delivered |
39 |
without issues... so it wasn't some malicious spam message which trying to |
40 |
crash my qmail. I've no idea why grsec complain in logs about it. |
41 |
|
42 |
I've a lot of such records - about 5 new records every hour in average. |
43 |
I've checked all combinations of "for /..., parent /...": |
44 |
|
45 |
# grep RLIMIT_STACK /var/log/kernel/all/{@*,current} | |
46 |
perl -pe 's/.* (for \/[^:]*).* (parent \/[^:]*).*/$1] $2]/' | sort | uniq -c |
47 |
303 for /bin/bash[sh] parent /bin/bash[sh] |
48 |
277 for /bin/cat[cat] parent /usr/sbin/apache2[apache2] |
49 |
17 for /bin/su[su] parent /usr/bin/runsv[runsv] |
50 |
1 for /[chpst] parent /bin/bash[sh] |
51 |
1 for /[egrep] parent /bin/bash[sh] |
52 |
1 for /[ifconfig] parent /bin/bash[sh] |
53 |
8 for /[sh] parent /usr/sbin/crond[crond] |
54 |
341 for /var/qmail/bin/qmail-local[qmail-local] parent /var/qmail/bin/qmail-local[qmail-local] |
55 |
|
56 |
-- |
57 |
WBR, Alex. |