Re: Openserver 5.0.6 ping floods router

RLW wrote:
Thanks for all the replies -- I've tried most of them, still, to no
avail.

We did an experiment with the system today -- rebooted it and watched
the CPU Load on the router while it came up. Just at the point where
the boot process says (I'm paraphrasing) "Type <ctrl>D to continue, or
enter root password:", the CPU Load jumped back up to 100%.

This is just an off the wall seat of the pants fix that we did once when we thought that the Unix Server(ip XXX.XXX.XXX.92) was causing flooding of the network, all tests showed it to be so). We finally discovered somehow(I cannot recollect exactly how we discovered it) that if we disconnected a certain windows 2003 Server that had an ip addreee of XXX.XXX.XXX.97 the flooding stopped. Without further ado or inquiry, we just reset the ip address of the windows server(the easiest to do) and the problem has not recurred in two or so years. Someday I may try to find out what was happening but so far time constrants and a degree of sloth have kept me from doing so, especially since it appeard to be more closely related to Microsoft than Unix.

==============================
Note to Pat Welch, thanks for the idea, but I've never heard of a NIC
that can do a ping flood by itself. Have you actually seen something
like that happen? Also, if the NIC was causing the problem, I'd think
that it would have started flooding before the OS was all the way up,
assuming it was a hardware problem. I still don't see how it would
remember the IP for the default gateway between reboots.
==============================

I had my customer, Tom, enter the root password to go into init state
1 (Single User mode). I then had him do a "ps -fe > /usr/rlw/
singleusr.txt" to capture a list of all of the processes running at
the time. Here's the list:

UID PID PPID C STIME TTY TIME CMD
root 0 0 0 12:06:49 ? 00:00:00 sched
root 1 0 0 12:06:49 ? 00:00:00 /etc/init
root 2 0 0 12:06:49 ? 00:00:00 vhand
root 3 0 0 12:06:49 ? 00:00:12 bdflush
root 4 0 0 12:06:49 ? 00:00:00 kmdaemon
root 5 1 0 12:06:49 ? 00:00:08 htepi_daemon /
root 6 0 0 12:06:49 ? 00:00:13 strd
root 92 1 2 12:14:25 console 00:00:01 /bin/ksh -o vi
root 53 1 0 12:14:24 ? 00:00:00 /etc/ifor_pmd
root 54 53 0 12:14:24 ? 00:00:00 /etc/ifor_pmd
root 50 1 0 12:14:23 ? 00:00:36 /etc/syslogd
root 41 1 0 12:14:23 ? 00:00:00 htepi_daemon /
stand
root 103 92 2 12:19:09 console 00:00:00 ps -fe
root 58 54 0 12:14:24 ? 00:00:00 /etc/sco_cpd
root 59 54 0 12:14:24 ? 00:00:22 /etc/ifor_sld
root 79 1 0 12:14:24 ? 00:00:00 strerr
root 93 1 0 12:14:25 ? 00:00:00 /var/scohttp/
scohttpd -d /var/scohttp

I had run a "custom -V" to verify the entire setup, and captured the
output in another file. I then grepped all of the filenames in the ps
list above in that file, and came up empty handed. This implies to me
that the listed processes aren't being seen by custom as having been
compromised. A very smart trojan (it'd have to be REALLY smart) could
conceivably change the checksum in the custom database for a
particular file, and could restore the dates on the file. Has anyone
ever HEARD of a trojan Denial Of Service for SCO Openserver? I've
searched Google high and low for something like that -- haven't found
anything.

I stopped scohttp and ns_http (SCO web server on port 457, I think,
and the Netscape "FastTrack" web server) -- we don't use those. I
haven't killed all of the X windows stuff, but it wasn't running in
Single User mode, so I don't think that's it.

Here are my next questions for the group:

Which of the above processes can I kill (in single user mode) to see
if the pings stop?
How do I disable the X Windows stuff? -- We never use it on this box.

Thanks again for all the help everyone's trying to give me.

Thanks,

RLW





.

Relevant Pages

  • Re: Openserver 5.0.6 ping floods router
    ... remember the IP for the default gateway between reboots. ... I had run a "custom -V" to verify the entire setup, ... I stopped scohttp and ns_http (SCO web server on port 457, I think, ... How do I disable the X Windows stuff? ...
    (comp.unix.sco.misc)
  • Re: AVID vs Final Cut Pro
    ... especially when they are custom built. ... all that fun stuff that goes with Windows. ... Pro, Live Type, Compressor, DVD Studio Pro, Motion and Soundtrack Pro. ... With Macs you can only really buy quality products (although there have been ...
    (rec.video.production)
  • Re: I want to be convinced; convince me.
    ... Nightly reboots are needed for stability ... >> Why is a windows system more robust than a Linux or OS X system? ... > None of this has anything to do with stability. ... > cooling like Apple does, your system wouldn't be very loud either. ...
    (comp.sys.mac.advocacy)
  • XP SP3 Cripples Some PCs With Endless Reboots
    ... XP SP3 Cripples Some PCs With Endless Reboots ... Installing Windows XP Service Pack 3 sends some PCs into an endless ... to Intel -based computers that they do to AMD-based computers," said ...
    (microsoft.public.windowsxp.general)
  • RE: windows xp activation causes start-up lock
    ... sometimes it stays on the black Windows XP splash screen (with the blue bars ... reboot at the end of the installation, I did, and when the black splash ... Installed SP3 before motherboard drivers (three successful reboots) ...
    (microsoft.public.windowsxp.help_and_support)
Loading