Archives

Categories
«  
  »

New Play Machine

Update:
Thanks to Sven Joachim and Andrew Pollock for informing me about /etc/init.d/mountoverflowtmp which exists to mount a tmpfs named overflow if /tmp is full at boot time. It appears that the system was not compromised. But regular reinstalls are always a good thing.

On the 24th of August this year I noticed the following on my SE Linux Play Machine [1]:
root@play:/root# df
Filesystem          1K-blocks      Used Available Use% Mounted on
/dev/hda              1032088    938648    41012  96% /
tmpfs                    51296        0    51296  0% /lib/init/rw
udev                    10240        24    10216  1% /dev
tmpfs                    51296        4    51292  1% /dev/shm
/dev/hdb                516040    17128    472700  4% /root
/dev/hdc                  1024        8      1016  1% /tmp
overflow                  1024        8      1016  1% /tmp

The kernel message log had the following:
[210511.546152] su[769]: segfault at 0 ip b7e324e3 sp bfa4b064
error 4 in libc-2.7.so[b7dbb000+158000]
[210561.527839] su[778]: segfault at 0 ip b7eb14e3 sp bfec84d4 error 4 in
libc-2.7.so[b7e3a000+158000]
[210585.270372] su[784]: segfault at 0 ip b7e044e3 sp bff1b534 error 4 in
libc-2.7.so[b7d8d000+158000]
[210595.855278] su[789]: segfault at 0 ip b7e014e3 sp bfd18324 error 4 in
libc-2.7.so[b7d8a000+158000]
[210639.496847] su[796]: segfault at 0 ip b7e874e3 sp bf99e7b4 error 4 in
libc-2.7.so[b7e10000+158000]

Naturally this doesn’t look good, the filesystem known as “overflow” indicates a real problem. It appears that the machine was compromised. So I’ve made archival copies of all the data and reinstalled it.

As the weather here is becoming warmer I’ve used new hardware for my new Play Machine. The old system was a 1.8GHz Celeron with 1280M of RAM and two IDE disks in a RAID-1 array. The new system is a P3-800 with 256M of RAM and a single IDE disk. It’s a Compaq Evo which runs from a laptop PSU and is particularly energy efficient and quiet. The down-side is that there is no space for a second disk and only one RAM socket so I’m limited to 256M – that’s just enough to run a Xen server with a single DomU.

I put the new play machine online on Friday the 23rd of October after almost two months of down-time.

Related posts:

  1. Lenny Play Machine Online As Debian/Lenny has been released and the temperatures in my...
  2. SE Linux Play Machine and Passwords My SE Linux Play Machine has been online again since...
  3. Trust and My SE Linux Play Machine When discussing the machine there are two common comments I...
  4. Play Machine Update My Play Machine [1] was offline for most of the...
  5. Play Machine Downtime From the 13th to the 14th of August my Play...
October 28th, 2009 | Tags: , | Category: Security

3 comments to New Play Machine

  • Sven Joachim
    October 28, 2009 at 22:03

    Actually, the only problem that the “overflow” filesystem indicates is that you were running out of disk space. Such a filesystem is mounted automatically on boot if / has no space left, see /etc/init.d/mountoverflowtmp.

  • fumble
    October 28, 2009 at 23:02

    I hope you will investigate this and blog about how they got in if you can find that out.

  • Andrew Pollock
    October 29, 2009 at 00:43

    The overflow /tmp thing doesn’t automatically imply anything nefarious. It just means the system booted up with a full /tmp. See /etc/init.d/mountoverflowtmp