Re: ttloop peer died
From: Bela Lubkin (belal_at_sco.com)
Date: 10/14/03
- Next message: David P. Lurie: "Re: Termlite Problem"
- Previous message: David P. Lurie: "Re: Termlite Problem"
- In reply to: Tom Melvin: "Re: ttloop peer died"
- Next in thread: Tom Melvin: "Re: ttloop peer died"
- Reply: Tom Melvin: "Re: ttloop peer died"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 14 Oct 2003 21:31:03 GMT To: scomsc@xenitec.ca
Tom Melvin wrote:
> The customer is not complaining of failed login, it is a 15 user m/c I
> would think the default 64 pseudo ttys are fine. Actually, just relooked
> at syslog:
>
> Oct 13 01:57:22 cvntry telnetd[28609]: ttloop: peer died: Unknown error
> Oct 13 02:08:08 cvntry telnetd[28616]: ttloop: peer died: Unknown error
> Oct 13 02:20:57 cvntry telnetd[28630]: ttloop: peer died: Unknown error
> Oct 13 02:32:32 cvntry telnetd[28637]: ttloop: peer died: Unknown error
> Oct 13 02:43:26 cvntry telnetd[28639]: ttloop: peer died: Unknown error
> Oct 13 02:54:18 cvntry telnetd[28641]: ttloop: peer died: Unknown error
> Oct 13 03:05:14 cvntry telnetd[28663]: ttloop: peer died: Unknown error
> Oct 13 03:16:04 cvntry telnetd[28674]: ttloop: peer died: Unknown error
> Oct 13 03:27:01 cvntry telnetd[28681]: ttloop: peer died: Unknown error
> Oct 13 03:38:02 cvntry telnetd[28683]: ttloop: peer died: Unknown error
> Oct 13 03:48:52 cvntry telnetd[28685]: ttloop: peer died: Unknown error
> Oct 13 04:00:28 cvntry telnetd[28692]: ttloop: peer died: Unknown error
> Oct 13 04:10:29 cvntry telnetd[28703]: ttloop: peer died: Unknown error
> Oct 13 04:18:59 cvntry telnetd[28705]: ttloop: peer died: Unknown error
> Oct 13 04:27:29 cvntry telnetd[28712]: ttloop: peer died: Unknown error
> Oct 13 04:35:59 cvntry telnetd[28714]: ttloop: peer died: Unknown error
> Oct 13 04:44:27 cvntry telnetd[28716]: ttloop: peer died: Unknown error
> Oct 13 04:52:53 cvntry telnetd[28718]: ttloop: peer died: Unknown error
> Oct 13 05:02:17 cvntry telnetd[28725]: ttloop: peer died: Unknown error
> Oct 13 05:11:16 cvntry telnetd[28736]: ttloop: peer died: Unknown error
>
> All these times are in the early am - they do not use the system over
> night - those must be left over from during the day but then again,
> the 13th was a monday, they also don't use the system on Sunday's
> so I have no idea where those are comming from. Weird
It could be some sort of an attack; or some device (like a network
printer) wigging out. Notice that the times are pretty evenly spaced:
about 10 minutes apart, until the last few which are about 8.5 minutes
apart. The regularity strongly suggests some sort of automated process.
You could put in a little watcher daemon, something like:
#!/bin/sh
while :; do
tail -0f /usr/adm/syslog | grep -q ttloop
date >> /usr/adm/ttloop-netstat
netstat -n -p tcp | fgrep '.23 ' >> /usr/adm/ttloop-netstat
done
You're looking for output that looks something like:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 127.0.0.1.23 127.0.0.1.1160 TIME_WAIT
Here I had done a `telnet localhost` and immediately disconnected. Your
mystery connections will probably be from a different host, and may be
in a different state than TIME_WAIT (but probably TIME_WAIT). The "-n"
flag skips hostname lookups, which could be slow in some cases, and
might possibly make it miss the actual lines you're interested in. Once
you have an idea of which lines are the mystery telnets, you can look
the names up witn `ping`, `host`, `nslookup`, etc.
>Bela<
- Next message: David P. Lurie: "Re: Termlite Problem"
- Previous message: David P. Lurie: "Re: Termlite Problem"
- In reply to: Tom Melvin: "Re: ttloop peer died"
- Next in thread: Tom Melvin: "Re: ttloop peer died"
- Reply: Tom Melvin: "Re: ttloop peer died"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
