after accessing them via console i noticed that ALL services were down…
well, at least not the console login
[…]
these kdm messages might just be the result of either a stopped X server or failing network communications. Did anything turn up before that?
kernel: svc: 10.2.8.92, port=984: unknown version (43690890 for prog 100003, nfsd)
that one looks strange - I’ll take it that 10.2.8.92 is a known NFS client, that has not been tampered with? Then it points at garbled network traffic (from portmapper’s POV), which could be the consequence of some general low-level faile, i.e. corruption somewhere at kernel level.
Sep 16 12:38:30 linux-8 syslog-ng[8700]: Termination requested via signal, terminating;
was this initiated by “shutdown”, as a consequence of your actions? Else I’d look for more details, i.e. checking when the services started shutting down and if it may have been some “shutdown” call somewhere (manually, or power monitoring, or system management services, …).
If it looks like an issued shutdown command, check last logins and the bash histories of those users for traces of manual actions.
i discovered that this host was perfoming a vulnerability scanner which i wasnt aware of.
also i noticed these 2 specific systems had vnc open and kde env , from the xinetd logs vnc was also targeted…
is anyone aware if vnc has a vulnerability like this?
[QUOTE=maikcat;29643]also noticed that vulnerabily scan was running on other systems as well,
also noticed that these 2 systems had kdm instead of gdm,
anyone had issues when using kdm instead of gdm?
i will setup a test server and try to abuse vnc service with kdm…
Michael.[/QUOTE]
Hi Michael,
Now I come across the same problem as you did, there are many similar logs printed :
Nov 26 09:26:58 billdb2a kdm_config[8305]: Multiple occurrences of key ‘UseTheme’ in section [X--Greeter] of /usr/share/kde4/config/kdm/kdmrc
Nov 26 09:26:59 billdb2a kdm: 10.70.209.40:1[8335]: Received unknown or unexpected command -2 from greeter
Nov 26 09:26:59 billdb2a kdm: 10.70.209.40:1[8335]: Abnormal termination of greeter for display 10.70.209.40:1, code 1, signal 0
Nov 26 09:26:59 billdb2a kernel: [469170.655111] svc: 10.20.40.206, port=340: unknown version (104740642 for prog 100003, nfsd)
Nov 26 09:27:00 billdb2a kdm_config[8840]: Multiple occurrences of key ‘UseTheme’ in section [X--Greeter] of /usr/share/kde4/config/kdm/kdmrc
Nov 26 09:27:01 billdb2a kdm: 10.70.209.40:2[8845]: Received unknown or unexpected command -2 from greeter
Nov 26 09:27:01 billdb2a kdm: 10.70.209.40:2[8845]: Abnormal termination of greeter for display 10.70.209.40:2, code 1, signal 0
Nov 26 09:27:03 billdb2a kernel: Kernel logging (proc) stopped.
Nov 26 09:27:03 billdb2a kernel: Kernel log daemon terminating.
Nov 26 09:27:03 billdb2a syslog-ng[8093]: Termination requested via signal, terminating;
Nov 26 09:27:03 billdb2a syslog-ng[8093]: syslog-ng shutting down; version=‘2.0.9’
many network related services stopped at that time, I cannot find reason.
you said you had discovered the host was perfoming a vulnerability scanner. do you know which the tool which made vulnerability scan and
it will be better if you can remember how to reproduce,thank you.
Nessus was used in my case (possibly the paid version),
after opening a SR to novell the response was that nessus is commercial software and they cannot buy and perform the same test
in their labs.
