[Dxspider-support] (no subject)
Michael Walker
mike at portcredit.net
Wed Feb 22 16:26:37 GMT 2017
[root at dxcluster2 log]# grep -r convkeps /etc
[root at dxcluster2 log]# grep convkeps /home/*/.forward
grep: /home/*/.forward: No such file or directory
[root at dxcluster2 log]#
No output from either.
Mike
As an aside:
Here is where I start to see some concerning issues. It is the 'Starting
Session x of user root'. If I do a who, there doesn't appear to be any
additional root logins. This seems to be a known problem and I need to do
more googling on the solution. This is not my problem running out of
resources.
This is going on now:
Feb 21 22:01:02 dxcluster2 systemd: Started Session 4 of user root.
Feb 21 22:01:02 dxcluster2 systemd: Starting Session 4 of user root.
Feb 21 22:40:50 dxcluster2 kernel: perf: interrupt took too long (2508 >
2500), lowering kernel.perf_event_max_sample_rate to 79000
Feb 21 22:42:45 dxcluster2 kernel: wls33: disconnect from AP
ec:08:6b:c0:8b:16 for new auth to 18:a6:f7:c1:4e:04
Feb 21 22:42:45 dxcluster2 kernel: wls33: authenticate with
18:a6:f7:c1:4e:04
Feb 21 22:42:45 dxcluster2 kernel: wls33: send auth to 18:a6:f7:c1:4e:04
(try 1/3)
Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3273]
device (wls33): supplicant interface state: completed -> authenticating
Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <warn> [1487734965.3327]
sup-iface[0x7fde5d4c2360,wls33]: connection disconnected (reason 1)
Feb 21 22:42:45 dxcluster2 kernel: wls33: authenticated
Feb 21 22:42:45 dxcluster2 kernel: wls33: associate with 18:a6:f7:c1:4e:04
(try 1/3)
Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3481]
device (wls33): supplicant interface state: authenticating -> associating
Feb 21 22:42:45 dxcluster2 kernel: wls33: RX AssocResp from
18:a6:f7:c1:4e:04 (capab=0x431 status=0 aid=1)
Feb 21 22:42:45 dxcluster2 kernel: wls33: associated
Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3568]
device (wls33): supplicant interface state: associating -> 4-way handshake
Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3659]
device (wls33): supplicant interface state: 4-way handshake -> completed
Feb 21 22:48:47 dxcluster2 systemd-logind: New session 5 of user root.
Feb 21 22:48:47 dxcluster2 systemd: Started Session 5 of user root.
Feb 21 22:48:47 dxcluster2 systemd: Starting Session 5 of user root.
Feb 21 23:01:01 dxcluster2 systemd: Started Session 6 of user root.
Feb 21 23:01:01 dxcluster2 systemd: Starting Session 6 of user root.
Feb 21 23:10:12 dxcluster2 kernel: perf: interrupt took too long (3136 >
3135), lowering kernel.perf_event_max_sample_rate to 63000
Feb 22 00:01:01 dxcluster2 systemd: Started Session 7 of user root.
Feb 22 00:01:01 dxcluster2 systemd: Starting Session 7 of user root.
Feb 22 00:01:17 dxcluster2 kernel: perf: interrupt took too long (3927 >
3920), lowering kernel.perf_event_max_sample_rate to 50000
Feb 22 00:02:29 dxcluster2 kernel: perf: interrupt took too long (4912 >
4908), lowering kernel.perf_event_max_sample_rate to 40000
Feb 22 00:05:49 dxcluster2 kernel: perf: interrupt took too long (6147 >
6140), lowering kernel.perf_event_max_sample_rate to 32000
Feb 22 01:01:01 dxcluster2 systemd: Started Session 8 of user root.
Feb 22 01:01:01 dxcluster2 systemd: Starting Session 8 of user root.
Feb 22 02:01:01 dxcluster2 systemd: Started Session 9 of user root.
Feb 22 02:01:01 dxcluster2 systemd: Starting Session 9 of user root.
Feb 22 03:01:01 dxcluster2 systemd: Started Session 10 of user root.
Feb 22 03:01:01 dxcluster2 systemd: Starting Session 10 of user root.
Feb 22 04:01:01 dxcluster2 systemd: Started Session 11 of user root.
Feb 22 04:01:01 dxcluster2 systemd: Starting Session 11 of user root.
Feb 22 05:01:01 dxcluster2 systemd: Started Session 12 of user root.
Feb 22 05:01:01 dxcluster2 systemd: Starting Session 12 of user root.
Feb 22 06:01:01 dxcluster2 systemd: Started Session 13 of user root.
Feb 22 06:01:01 dxcluster2 systemd: Starting Session 13 of user root.
Feb 22 06:42:32 dxcluster2 dhclient[724]: DHCPREQUEST on ens32 to
192.168.113.1 port 67 (xid=0x3065af1a)
Feb 22 06:42:32 dxcluster2 dhclient[724]: DHCPACK from 192.168.113.1
(xid=0x3065af1a)
Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8693]
dhcp4 (ens32): address 192.168.113.151
Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8698]
dhcp4 (ens32): plen 24 (255.255.255.0)
Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8699]
dhcp4 (ens32): gateway 192.168.113.1
Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8699]
dhcp4 (ens32): server identifier 192.168.113.1
Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8700]
dhcp4 (ens32): lease time 86400
On Wed, Feb 22, 2017 at 10:55 AM, Dirk Koopman via Dxspider-support <
dxspider-support at dxcluster.org> wrote:
> If you are not using it, go ahead. But it does make updating slightly more
> challenging. I'd go look for a .forward file and/or /etc/aliases that has
> convkeps in it.
>
> Try (as root):
>
> grep -r convkeps /etc
>
> and
>
> grep convkeps /home/*/.forward
>
> If you send me some details off list and open your firewall to an IP
> address I'll give you, I can go and look. These things don't happen by
> magic.
>
> Dirk
>
>
> On 22/02/17 13:29, Michael Walker via Dxspider-support wrote:
>
> I pulled out the image so I can reply.
>
> There are no cron jobs either root or sysop. This is a new build.
>
> However, something started to log in as root and there was over 500 of
> them. I will need to spend a lot more time going through the logs to see
> if I can see anything unusual. Since I don't do this for a living, that is
> going to take a while.
>
> I have changed the root password, but I am not sure that will help if they
> way they got in was via some other method.
>
> The cluster runs under sysop.
>
> Can I rename convkeps.pl so it doesn't execute?
>
> Mike
>
> On Wed, Feb 22, 2017 at 7:50 AM, Michael Walker <mike at portcredit.net>
> wrote:
>
>> Thanks Dirk
>>
>> Not that I can see. In fact, I don't have any crons listed under root or
>> sysop.
>>
>> Mike va3mw
>>
>>
>> On Wed, Feb 22, 2017 at 7:27 AM, Dirk Koopman via Dxspider-support <
>> dxspider-support at dxcluster.org> wrote:
>>
>>> Do you have a (dxspider) cron job that is trying to run convkeps.pl?
>>> Normally I would expect this to be a system job that is triggered by an
>>> incoming email (containing keps) being redirected to convkeps.pl from
>>> an aliases or .forward file. It may also be the case that, since this
>>> program hasn't been touched since 2007, that formats have changed and it is
>>> looping, then eventually dying or killed off by the linux space reaper when
>>> it needs some extra RAM and it can't get it any other way.
>>>
>>> Dirk
>>>
>>>
>>> On 22/02/17 02:38, Michael Walker via Dxspider-support wrote:
>>>
>>> Has anyone seen this?
>>>
>>> Something is spawning all these. Intrusion?
>>>
>>> Mike va3mw
>>>
>>>
>>>
>>>
>>>
>>>
>>> sysop 8769 8728 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8770 7041 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8771 3426 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8772 8732 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8773 6898 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8774 8730 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8775 7040 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8776 7038 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8777 8731 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8778 8729 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8779 5238 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8780 7037 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8781 8737 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8782 7043 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8783 8733 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8784 8726 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8785 5239 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8786 7039 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> sysop 8787 6897 0 00:02 ? 00:00:00 [convkeps.pl] <defunct>
>>> root 9091 2 0 03:57 ? 00:00:00 [kworker/3:1]
>>> root 9183 2 0 05:01 ? 00:00:01 [kworker/1:3]
>>> root 9324 2 0 07:01 ? 00:00:03 [kworker/0:0]
>>> root 9418 2 0 08:19 ? 00:00:32 [kworker/2:1]
>>> root 9892 2 0 15:01 ? 00:00:00 [kworker/1:1]
>>> root 10235 2 0 20:01 ? 00:00:00 [kworker/2:0]
>>> postfix 10261 1846 0 20:27 ? 00:00:00 pickup -l -t unix -u
>>> root 10300 2 0 21:01 ? 00:00:00 [kworker/0:2]
>>> root 10319 2 0 21:22 ? 00:00:00 [kworker/1:2H]
>>> root 10322 2 0 21:27 ? 00:00:00 [kworker/u8:1]
>>> root 10324 2 0 21:27 ? 00:00:00 [kworker/1:0H]
>>> root 10327 2 0 21:32 ? 00:00:00 [kworker/u8:2]
>>> root 10330 2 0 21:32 ? 00:00:00 [kworker/1:1H]
>>> root 10333 1080 0 21:33 ? 00:00:01 sshd: root at pts/0
>>> root 10337 10333 0 21:34 pts/0 00:00:00 -bash
>>> root 10361 2 0 21:36 ? 00:00:00 [ath9k-hwrng]
>>> root 10362 10337 0 21:37 pts/0 00:00:00 ps -ef
>>> root 10363 10337 0 21:37 pts/0 00:00:00 less
>>>
>>>
>>>
>>> _______________________________________________
>>> Dxspider-support mailing listDxspider-support at dxcluster.orghttp://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>>
>>> _______________________________________________ Dxspider-support
>>> mailing list Dxspider-support at dxcluster.org
>>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>
>> _______________________________________________
> Dxspider-support mailing listDxspider-support at dxcluster.orghttp://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at dxcluster.org
> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20170222/344771c4/attachment-0001.html>
More information about the Dxspider-support
mailing list