Strange logs and memory exhaustion - SMB

This is a discussion on Strange logs and memory exhaustion - SMB ; I run a samba server version 2.2.7a-security-rollup-fix (Mandrake distribution) with a 2.4.19 kernel. It is used for a file server in an heterogeneous environment (windows, linux, mac, unix). Yesterday, the machine became to have all its memory consumed and the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Strange logs and memory exhaustion

  1. Strange logs and memory exhaustion

    I run a samba server version 2.2.7a-security-rollup-fix (Mandrake
    distribution) with a 2.4.19 kernel. It is used for a file server in an
    heterogeneous environment (windows, linux, mac, unix).

    Yesterday, the machine became to have all its memory consumed and the
    kernel had to kill some process. At the same time, I had these logs:

    [2003/09/08 17:45:53, 0] lib/util_sock.c:get_socket_addr(1012)
    [2003/09/08 17:45:54, 0] lib/util_sock.c:get_socket_addr(1012)
    [2003/09/08 17:45:57, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    [2003/09/08 17:46:04, 0] lib/access.c:check_access(333)
    [2003/09/08 17:46:04, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    Denied connection from (0.0.0.0)
    [2003/09/08 17:46:04, 0] lib/util_sock.c:write_socket_data(499)
    write_socket_data: write failure. Error = Connection reset by peer
    [2003/09/08 17:46:04, 0] lib/util_sock.c:write_socket(524)
    write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    reset by peer
    [2003/09/08 17:46:04, 0] lib/util_sock.c:send_smb(704)
    Error writing 5 bytes to client. -1. (Connection reset by peer)
    getpeername failed. Error was Transport endpoint is not connected
    [2003/09/08 17:46:07, 0] lib/access.c:check_access(333)
    [2003/09/08 17:46:07, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    Denied connection from (0.0.0.0)
    [2003/09/08 17:46:07, 0] lib/util_sock.c:write_socket_data(499)
    write_socket_data: write failure. Error = Connection reset by peer
    [2003/09/08 17:46:07, 0] lib/util_sock.c:write_socket(524)
    write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    reset by peer
    [2003/09/08 17:46:07, 0] lib/util_sock.c:send_smb(704)
    Error writing 5 bytes to client. -1. (Connection reset by peer)
    getpeername failed. Error was Transport endpoint is not connected
    [2003/09/08 17:46:08, 0] lib/access.c:check_access(333)
    [2003/09/08 17:46:08, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    Denied connection from (0.0.0.0)
    [2003/09/08 17:46:08, 0] lib/util_sock.c:write_socket_data(499)
    write_socket_data: write failure. Error = Connection reset by peer
    [2003/09/08 17:46:08, 0] lib/util_sock.c:write_socket(524)
    write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    reset by peer
    [2003/09/08 17:46:08, 0] lib/util_sock.c:send_smb(704)
    Error writing 5 bytes to client. -1. (Connection reset by peer)
    [2003/09/08 17:49:49, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    [2003/09/08 17:49:49, 0] lib/access.c:check_access(333)
    [2003/09/08 17:49:49, 0] lib/util_sock.c:get_socket_addr(1012)
    getpeername failed. Error was Transport endpoint is not connected
    Denied connection from (0.0.0.0)
    [2003/09/08 17:49:49, 0] lib/util_sock.c:write_socket_data(499)
    write_socket_data: write failure. Error = Connection reset by peer
    [2003/09/08 17:49:49, 0] lib/util_sock.c:write_socket(524)
    write_socket: Error writing 5 bytes to socket 13: ERRNO = Connection
    reset by peer
    [2003/09/08 17:49:49, 0] lib/util_sock.c:send_smb(704)
    Error writing 5 bytes to client. -1. (Connection reset by peer)

    Remark the denied connections from 0.0.0.0. This is strange because
    these address are filtered by the firewall.

    Could this be some sort of attack against the machine or am I too paranoid?


    Philippe


  2. Re: Strange logs and memory exhaustion

    Philippe Wautelet wrote in message news:...
    > I run a samba server version 2.2.7a-security-rollup-fix (Mandrake
    > distribution) with a 2.4.19 kernel. It is used for a file server in an
    > heterogeneous environment (windows, linux, mac, unix).
    >
    > Yesterday, the machine became to have all its memory consumed and the
    > kernel had to kill some process. At the same time, I had these logs:
    >
    > [2003/09/08 17:45:53, 0] lib/util_sock.c:get_socket_addr(1012)
    > [2003/09/08 17:45:54, 0] lib/util_sock.c:get_socket_addr(1012)
    > [2003/09/08 17:45:57, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > [2003/09/08 17:46:04, 0] lib/access.c:check_access(333)
    > [2003/09/08 17:46:04, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > Denied connection from (0.0.0.0)
    > [2003/09/08 17:46:04, 0] lib/util_sock.c:write_socket_data(499)
    > write_socket_data: write failure. Error = Connection reset by peer
    > [2003/09/08 17:46:04, 0] lib/util_sock.c:write_socket(524)
    > write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    > reset by peer
    > [2003/09/08 17:46:04, 0] lib/util_sock.c:send_smb(704)
    > Error writing 5 bytes to client. -1. (Connection reset by peer)
    > getpeername failed. Error was Transport endpoint is not connected
    > [2003/09/08 17:46:07, 0] lib/access.c:check_access(333)
    > [2003/09/08 17:46:07, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > Denied connection from (0.0.0.0)
    > [2003/09/08 17:46:07, 0] lib/util_sock.c:write_socket_data(499)
    > write_socket_data: write failure. Error = Connection reset by peer
    > [2003/09/08 17:46:07, 0] lib/util_sock.c:write_socket(524)
    > write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    > reset by peer
    > [2003/09/08 17:46:07, 0] lib/util_sock.c:send_smb(704)
    > Error writing 5 bytes to client. -1. (Connection reset by peer)
    > getpeername failed. Error was Transport endpoint is not connected
    > [2003/09/08 17:46:08, 0] lib/access.c:check_access(333)
    > [2003/09/08 17:46:08, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > Denied connection from (0.0.0.0)
    > [2003/09/08 17:46:08, 0] lib/util_sock.c:write_socket_data(499)
    > write_socket_data: write failure. Error = Connection reset by peer
    > [2003/09/08 17:46:08, 0] lib/util_sock.c:write_socket(524)
    > write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection
    > reset by peer
    > [2003/09/08 17:46:08, 0] lib/util_sock.c:send_smb(704)
    > Error writing 5 bytes to client. -1. (Connection reset by peer)
    > [2003/09/08 17:49:49, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > [2003/09/08 17:49:49, 0] lib/access.c:check_access(333)
    > [2003/09/08 17:49:49, 0] lib/util_sock.c:get_socket_addr(1012)
    > getpeername failed. Error was Transport endpoint is not connected
    > Denied connection from (0.0.0.0)
    > [2003/09/08 17:49:49, 0] lib/util_sock.c:write_socket_data(499)
    > write_socket_data: write failure. Error = Connection reset by peer
    > [2003/09/08 17:49:49, 0] lib/util_sock.c:write_socket(524)
    > write_socket: Error writing 5 bytes to socket 13: ERRNO = Connection
    > reset by peer
    > [2003/09/08 17:49:49, 0] lib/util_sock.c:send_smb(704)
    > Error writing 5 bytes to client. -1. (Connection reset by peer)
    >
    > Remark the denied connections from 0.0.0.0. This is strange because
    > these address are filtered by the firewall.
    >
    > Could this be some sort of attack against the machine or am I too paranoid?
    >
    >
    > Philippe


    Hi Philippe,

    we have the same issue but apparently not related to Samba but to
    SSHD. Suddently the top values are horrific and the machine starts to
    kill vital services like mysql, httpd and sshd. There is an enormous
    memory consumption. I will post an excerpt of our /var/log/messages
    file below:

    Sep 9 15:24:07 rbserv sshd[14568]: debug1: Forked child 21352.
    Sep 9 15:24:07 rbserv sshd[21352]: debug1: getpeername failed:
    Transport endpoint is not connected
    Sep 9 15:24:07 rbserv sshd[21352]: debug1: Calling cleanup
    0x8070310(0x0)
    Sep 9 15:28:57 rbserv sshd[14568]: debug1: Forked child 21764.
    Sep 9 15:28:57 rbserv sshd[21764]: debug1: getpeername failed:
    Transport endpoint is not connected
    Sep 9 15:28:57 rbserv sshd[21764]: debug1: Calling cleanup
    0x8070310(0x0)
    Sep 9 15:34:07 rbserv sshd[14568]: debug1: Forked child 22206.
    Sep 9 15:34:07 rbserv sshd[22206]: debug1: getpeername failed:
    Transport endpoint is not connected
    Sep 9 15:34:07 rbserv sshd[22206]: debug1: Calling cleanup
    0x8070310(0x0)
    Sep 9 15:38:41 rbserv sshd[14568]: debug1: Forked child 22564.
    Sep 9 15:38:41 rbserv sshd[22564]: debug1: getpeername failed:
    Transport endpoint is not connected
    Sep 9 15:38:41 rbserv sshd[22564]: debug1: Calling cleanup
    0x8070310(0x0)
    Sep 9 15:39:58 rbserv sshd[14568]: debug1: Forked child 22630.

    I am really puzzled. We use kernel 2.4.22 on two machines but the
    problem appears only on one.

    Best regards

    Stéphane

+ Reply to Thread