Kyle Hofmann wrote: > > Hi, > > My roommate and I run a Redhat 6.2 server. Wednesday, at about fifteen > minutes past midnight, our load average went from its usual 0.something to > nearly 30, and stayed this way for about ten minutes. By the time we got > top running, the offending process or processes had terminated. This could very well be the result of someone trying the "../*/../*/../*" DoS attack on a network service like for instance an FTP deamon. Many FTP servers like to use the shell to get the directory listing. When you request "../*/..etc" as a listing, the shell tries FRANTICALLY to expand the options. If the line was long enough, the machine gags and dies. If you've got logging of all commands, there's a good chance you should have evidence of this in your FTP logs. The reason for not seeing anything afterwards is probably because the ftp server, the offending process, died when the listing failed or supplied the by now HUGE listing to the requesting client. Cooper -- I want a patriot missile. I pay taxes, why can't I have one? - Denis Leary, Cheese Helmet -
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 18:35:41 PDT