[ale] remote investigation

John Wells jwells at secureworks.com
Tue Sep 2 09:14:32 EDT 2003


-)netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR
Flg
eth0   1500   0    2869      0      0      0    3229      2      0      0
BMRU
lo    16436   0    9196      0      0      0    9196      0      0      0
LRU

-----Original Message-----
From: matty91 at bellsouth.net [mailto:matty91 at bellsouth.net]
To: ale at ale.org
Sent: Tuesday, September 02, 2003 9:10 AM
To: 'ale at ale.org'
Subject: Re: [ale] remote investigation



On Tue, 2 Sep 2003, John Wells wrote:

> Guys,
>
> Came back from the Labor Day holiday and my mail server/web server is
acting
> rather odd.
>
> Services respond rather slowly, and sometimes not at all.  When services
> stop responding, I can still hit the router, so I know it has to be the
> server itself.
>
> I'm currently logged in remotely and everything seems good, if not slow,
but
> I expect it to freeze soon (it has a few times in the last hour or so).
> When it freezes, I can usually get a response after about 20 minutes or
so.
>
> The odd thing is, when services do "freeze" up, I can still telnet to a
port
> on the machine, like 25 for smtp, and get a connection.  However, the SMTP
> server fails to respond and I just sit there.
>
> I guess I'm kind of at a loss as to what sort of investigation I can do
> remotely.  I suppose the best way to see what's going on is to attempt to
> repeat the problem from home with a monitor connected and to see if it's
> actually doing anything during these timeouts, but I'd like to come home
> armed with any equipment that might be required.
>
> Anyone had a similar experience in the past?  Does this sound like a
> possible bad NIC/harddrive/etc?  My first thought was that the box may
have
> been compromised, but it'd be a wierd attack to let someone in every few
> minutes or so.  Netstat doesn't show anything unusual going on when I'm
in,
> at least.
>
> Any tests I could run against NIC/harddrive/etc to check for
malfunctioning
> hardware?

What does "netstat -i" show you? I believe there is an MII test utility
out in the wild. I don't recall the package name, but a google search out
to turn it up.

>
> Thanks for humoring the grasping at straws.  I'm frustrated, and clear
> thought is not currently an option... ;-)
>
> John
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
Public Key: http://www.daemons.net/~matty/public_key.txt
Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list