Tuesday, October 23, 2007
php5-imagick, Compromise (mebe not) & The Fly
So I had been running feisty for quite a while now with no issues of any of my code base on PHP5. And since Kev was working on some new OO code, we decided to up to PHP5 in order to benefit from the improved (well over 4 anyways) versions. Not to mention 4 is EOLd in Dec this year ... time to move on. That is 95% as easy as it should be on dapper, except there is no php5-imagick package in dapper. I decided to compile from source, but the resulting imagick.so would core dump apache at load. :( I bit the bullet and just did a double dist-upgrade to feisty, and had an available php5-imagick. Thom is happy again, now that he can manipulate his photo albums online. ;)
I had an interesting adventure a while back. In mid-days work, I got a message about a possible compromised box for a client of a client etc etc. So I got access to the box. All I knew was that they thought it was very "fishy". High CPU use, very sluggish. I downloaded a new chkrootkit from source, and everything cleared. I trusted my binaries, and started to look at some logs. Nothing strange. top shows high CPU percentage, and massive disk I/O wait. ps ax ... why are there all these sendmail processes?. /var/log/maillog ... shows very strange messages. They should not be repeated in public ;)
This is a box in non-production, and basically left alone since installation. The root email is aliased to an account called "admin". /var/spool/mail/admin was 2.0 GB! yup ... 2.0 GB. I guess the kernel was not compiled with LARGEFILE support, and sendmail cracked trying to deliver mail to the spool. Causes a mail to be generated to root, which could not be written to the spool, which generated a mail to root, which ... you get the picture. HAHAHA ... it made me laugh. I zapped the 120,000+ mqeue, and also zapped the spool file. The cause happened to be root crontab with 3 jobs running every minute, with no output suppression, generating emails every execution. That has since been fixed. not a compromise ... simply poor administration.
So I have a fly in my apartment. I will call him Charley. Charley is one of those "smart" flies that seems to disappear for hours, but pass right in front of your nose at the most inopportune of times. My smashing tube of rolled up paper sits by my side at all times. But Charley is onto my game, and rarely lands on any object suitable to be squished between with my smashing tube. I almost got him on 2 occasions, but he's really making use of his hundreds of eyes. I am not giving up though. The riders are still on their win streak, and how bout them Flyers ... 5-1 to start the season! I socialized slightly on the weekend, it was Kirsty T's B-Day, but I really hate Limerick's. I did make an appearance, and got my picture taken with the princess. It was worth it, but I must now re-emerge into the land of work. ΒΆ 6:02:00 PM
I had an interesting adventure a while back. In mid-days work, I got a message about a possible compromised box for a client of a client etc etc. So I got access to the box. All I knew was that they thought it was very "fishy". High CPU use, very sluggish. I downloaded a new chkrootkit from source, and everything cleared. I trusted my binaries, and started to look at some logs. Nothing strange. top shows high CPU percentage, and massive disk I/O wait. ps ax ... why are there all these sendmail processes?. /var/log/maillog ... shows very strange messages. They should not be repeated in public ;)
This is a box in non-production, and basically left alone since installation. The root email is aliased to an account called "admin". /var/spool/mail/admin was 2.0 GB! yup ... 2.0 GB. I guess the kernel was not compiled with LARGEFILE support, and sendmail cracked trying to deliver mail to the spool. Causes a mail to be generated to root, which could not be written to the spool, which generated a mail to root, which ... you get the picture. HAHAHA ... it made me laugh. I zapped the 120,000+ mqeue, and also zapped the spool file. The cause happened to be root crontab with 3 jobs running every minute, with no output suppression, generating emails every execution. That has since been fixed. not a compromise ... simply poor administration.
So I have a fly in my apartment. I will call him Charley. Charley is one of those "smart" flies that seems to disappear for hours, but pass right in front of your nose at the most inopportune of times. My smashing tube of rolled up paper sits by my side at all times. But Charley is onto my game, and rarely lands on any object suitable to be squished between with my smashing tube. I almost got him on 2 occasions, but he's really making use of his hundreds of eyes. I am not giving up though. The riders are still on their win streak, and how bout them Flyers ... 5-1 to start the season! I socialized slightly on the weekend, it was Kirsty T's B-Day, but I really hate Limerick's. I did make an appearance, and got my picture taken with the princess. It was worth it, but I must now re-emerge into the land of work. ΒΆ 6:02:00 PM
